{ "id": "69b361db-3006-449c-ad56-77c70e10c70b", "created_at": "2026-04-06T00:10:39.787479Z", "updated_at": "2026-04-10T13:11:27.194938Z", "deleted_at": null, "sha1_hash": "d241c0219abdc86fb9ac698268dd8512c8037178", "title": "Tarrask malware uses scheduled tasks for defense evasion | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 879449, "plain_text": "Tarrask malware uses scheduled tasks for defense evasion | Microsoft\r\nSecurity Blog\r\nBy Microsoft Incident Response, Microsoft Threat Intelligence\r\nPublished: 2022-04-12 · Archived: 2026-04-02 11:47:38 UTC\r\nApril 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the\r\ntheme of weather. HAFNIUM is now tracked as Silk Typhoon.\r\nTo learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a complete\r\nmapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy.\r\nAs Microsoft continues to track the high-priority state-sponsored threat actor HAFNIUM, new activity has been uncovered\r\nthat leverages unpatched zero-day vulnerabilities as initial vectors. The Microsoft Detection and Response Team (DART) in\r\ncollaboration with the Microsoft Threat Intelligence Center (MSTIC) identified a multi-stage attack targeting the Zoho\r\nManage Engine Rest API authentication bypass vulnerability to initially implant a Godzilla web shell with similar properties\r\ndetailed by the Unit42 team in a previous blog.\r\nMicrosoft observed HAFNIUM from August 2021 to February 2022, target those in the telecommunication, internet service\r\nprovider and data services sector, expanding on targeted sectors observed from their earlier operations conducted in Spring\r\n2021.\r\nFurther investigation reveals forensic artifacts of the usage of Impacket tooling for lateral movement and execution and the\r\ndiscovery of a defense evasion malware called Tarrask that creates “hidden” scheduled tasks, and subsequent actions to\r\nremove the task attributes, to conceal the scheduled tasks from traditional means of identification.\r\nThe blog outlines the simplicity of the malware technique Tarrask uses, while highlighting that scheduled task abuse is a\r\nvery common method of persistence and defense evasion—and an enticing one, at that. In this post, we will demonstrate\r\nhow threat actors create scheduled tasks, how they cover their tracks, how the malware’s evasion techniques are used to\r\nmaintain and ensure persistence on systems, and how to protect against this tactic.\r\nRight on schedule: Maintaining persistence via scheduled tasks\r\nWindows Task Scheduler is a service that allows users to perform automated tasks (scheduled tasks) on a chosen computer\r\nfor legitimate administrative purposes (e.g., scheduled updates for browsers and other applications).\r\nThroughout the course of our research, we’ve found that threat actors commonly make use of this service to maintain\r\npersistence within a Windows environment.\r\nWe’ve noted that the Tarrask malware generates several artifacts upon the creation of a scheduled task, whether using the\r\nTask Scheduler GUI or the schtasks command line utility. Profiling the use of either of these tools can aid investigators in\r\ntracking this persistence mechanism.\r\nThe following registry keys are created upon creation of a new task:\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\r\nNT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\TASK_NAME\r\nhttps://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\r\nPage 1 of 7\n\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\\r\n{GUID}\r\nFigure 1. Tarrask malware creates new registry keys along with the creation of new scheduled tasks\r\nThe first subkey, created within the Tree path, matches the name of the scheduled task. The values created within it (Id,\r\nIndex, and SD) contain metadata for task registration within the system. The second subkey, created within the Tasks path,\r\nis a GUID mapping to the Id value found in the Tree key. The values created within (Actions, Path, Triggers, etc.) contain\r\nthe basic parameters necessary to facilitate execution of the task.\r\nTo demonstrate the value in the artifacts generated, shown in the following figures, we have created “My Special Task”\r\nwhich is set to execute the binary “C:\\Windows\\System32\\calc.exe” on a regular interval.\r\nhttps://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\r\nPage 2 of 7\n\nFigure 2. XML file matches name of the task\r\nSimilar information is also stored within an extensionless XML file created within C:\\Windows\\System32\\Tasks, where the\r\nname of the file matches the name of the task. This is displayed in Figure 2, where we name the task “My Special Task” as\r\nan example.\r\nhttps://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\r\nPage 3 of 7\n\nFigure 3. Extensionless XML file\r\nNote that the “Actions” value stored within the Tasks\\{GUID} key points to the command line associated with the task. In\r\nFigure 2, there is a reference to “C:\\Windows\\System32\\calc.exe” within the “Edit Binary Value” dialog, and there is a path\r\nreferenced within the “\u003cCommand\u003e” section in the extensionless XML file in Figure 3. The fact that this value is stored\r\nwithin two different locations can prove useful in recovering information regarding the task’s purpose in the event the threat\r\nactor has taken steps to cover their tracks.\r\nFinally, there are two Windows event logs that record actions related to the creation and operation of Scheduled Tasks –\r\nEvent ID 4698 within the Security.evtx log, and the Microsoft-Windows-TaskScheduler/Operational.evtx log.\r\nNeither of these are audited by default and must be explicitly turned on by an administrator. Microsoft-Windows-TaskScheduler/Maintenance.evtx will exist by default, but only contains maintenance-related information for the Task\r\nScheduler engine.\r\nEffectively hiding scheduled tasks\r\nhttps://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\r\nPage 4 of 7\n\nIn this scenario, the threat actor created a scheduled task named “WinUpdate” via HackTool:Win64/Tarrask in order to re-establish any dropped connections to their command and control (C\u0026C) infrastructure. This resulted in the creation of the\r\nregistry keys and values described in the earlier section, however, the threat actor deleted the SD value within the Tree\r\nregistry path.\r\nFigure 4. Deletion of the security descriptor (SD) value\r\nIn this context, SD refers to the Security Descriptor, which determines the users allowed to run the task. Interestingly,\r\nremoval of this value results in the task “disappearing” from “schtasks /query” and Task Scheduler. The task is effectively\r\nhidden unless an examiner manually inspects the aforementioned registry paths.\r\nIssuing a “reg delete” command to delete the SD value will result in an “Access Denied” error even when run from an\r\nelevated command prompt. Deletion must occur within the context of the SYSTEM user. It is for this reason that the Tarrask\r\nmalware utilized token theft to obtain the security permissions associated with the lsass.exe process. Upon execution of the\r\ntoken theft, the malware could operate with the same privileges as LSASS, making the deletion possible.\r\nFigure 5. Successful deletion of SD in Command Prompt\r\nIt is also important to note that the threat actor could have chosen to completely remove the two registry keys within Tree\r\nand Tasks, and the XML file created within C:\\Windows\\System32\\Tasks. This would effectively remove the on-disk artifacts\r\nassociated with the scheduled task, but the task would continue to run according to the defined triggers until the system\r\nrebooted, or until the associated svchost.exe process responsible for executing the task was terminated.\r\nIt’s possible the threat actor wanted to ensure persistence across reboots and therefore chose not to perform those steps,\r\ninstead deleting only the SD value; however, we also speculate that the threat actor was unaware that the task would\r\ncontinue to run even after these components were removed.\r\nRecommendations and cyber resilience guidance\r\nJob or task schedulers are services that have been present in the Windows operating system for many years. The attacks we\r\ndescribed signify how the threat actor HAFNIUM displays a unique understanding of the Windows subsystem and uses this\r\nexpertise to mask activities on targeted endpoints to maintain persistence on affected systems and hide in plain sight.\r\nAs such, we recognize that scheduled tasks are an effective tool for adversaries to automate certain tasks while achieving\r\npersistence, which brings us to raising awareness about this oft-overlooked technique. We also want to bring attention to the\r\nfact that threat actors may utilize this method of evasion to maintain access to high value targets in a manner that will likely\r\nhttps://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\r\nPage 5 of 7\n\nremain undetected. This could be especially problematic for systems that are infrequently rebooted (e.g., critical systems\r\nsuch as domain controllers, database servers, etc.).\r\nThe techniques used by the actor and described in this post can be mitigated or detected by adopting the following\r\nrecommendations and security guidelines1:\r\nEnumerate your Windows environment registry hives looking in the\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree registry\r\nhive and identify any scheduled tasks without SD (security descriptor) Value within the Task Key. Perform analysis\r\non these tasks as needed.\r\nModify your audit policy to identify Scheduled Tasks actions by enabling logging “TaskOperational” within\r\nMicrosoft-Windows-TaskScheduler/Operational. Apply the recommended Microsoft audit policy settings suitable to\r\nyour environment.\r\nEnable and centralize the following Task Scheduler logs. Even if the tasks are ‘hidden’, these logs track key events\r\nrelating to them that could lead you to discovering a well-hidden persistence mechanism\r\nEvent ID 4698 within the Security.evtx log\r\nMicrosoft-Windows-TaskScheduler/Operational.evtx log\r\nThe threat actors in this campaign used hidden scheduled tasks to maintain access to critical assets exposed to the\r\ninternet by regularly re-establishing outbound communications with C\u0026C infrastructure. Remain vigilant and\r\nmonitor uncommon behavior of your outbound communications by ensuring that monitoring and alerting for these\r\nconnections from these critical Tier 0 and Tier 1 assets is in place.\r\nIndicators of compromise (IOCs)\r\nThe following list provides IOCs observed during our investigation. We encourage customers to investigate these indicators\r\nin their environments and implement detections and protections to identify past related activity and prevent future attacks\r\nagainst their systems.\r\nSHA256 File Name Details\r\n54660bd327c9b9d60a5b45cc59477c75b4a8e2266d988da8ed9956bcc95e6795\r\nwinupdate.exe, date.exe,\r\nwin.exe\r\nTarrask\r\na3baacffb7c74dc43bd4624a6abcd1c311e70a46b40dcc695b180556a9aa3bb2\r\nwindowsvc.exe, winsrv.exe,\r\nWinSvc.exe, ScriptRun.exe,\r\nUnique.exe, ngcsvc.exe,\r\nligolo_windows_amd64.exe,\r\nproxy.zip, wshqos.exe,\r\ncert.exe, ldaputility.exe\r\nLigolo\r\n7e0f350864fb919917914b380da8d9b218139f61ab5e9b28b41ab94c2477b16d CertCert.jsp, Cert0365.jsp\r\nGodzill\r\nweb\r\nshell\r\nMicrosoft 365 Defender Detections\r\nHow customers can identify this in Microsoft 365 Defender:\r\nMicrosoft Defender Antivirus\r\nMicrosoft Defender for Endpoint on detects implants and components as the following:\r\nhttps://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\r\nPage 6 of 7\n\nHackTool:Win64/Tarrask!MSR\r\nHackTool:Win64/Ligolo!MSR\r\nMicrosoft Defender for Endpoint detects malicious behavior observed as the following:\r\nBehavior:Win32/ScheduledTaskHide.A\r\nMicrosoft Sentinel Detections\r\nMicrosoft Sentinel customers can use the following detection queries to look for this activity:\r\nTarrask malware hash IOC: This query identifies a hash match related to Tarrask malware across various data\r\nsources.\r\nScheduled Task Hide: This query uses Windows Security Events to detect attempts by malware to hide the scheduled\r\ntask by deleting the SD (Security Descriptor) value. Removal of SD value results in the scheduled task\r\n“disappearing” from “schtasks /query” and Task Scheduler.\r\nMicrosoft Defender AV Hits: This query looks for Microsoft Defender AV detections related to Tarrask malware\r\nusing SecurityAlerts table. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the\r\naffected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, IP,\r\nlogged on users etc. This way, the Microsoft Sentinel user can have all the pertinent device info in one view for the\r\nalerts.\r\n1 The technical information contained in this article is provided for general informational and educational purposes only and\r\nis not a substitute for professional advice. Accordingly, before taking any action based upon such information, we encourage\r\nyou to consult with the appropriate professionals. We do not provide any kind of guarantee of a certain outcome or result\r\nbased on the information provided. Therefore, the use or reliance of any information contained in this article is solely at your\r\nown risk.\r\nSource: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\r\nhttps://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE" ], "origins": [ "web" ], "references": [ "https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/" ], "report_names": [ "tarrask-malware-uses-scheduled-tasks-for-defense-evasion" ], "threat_actors": [ { "id": "7c969685-459b-4c93-a788-74108eab6f47", "created_at": "2023-01-06T13:46:39.189751Z", "updated_at": "2026-04-10T02:00:03.241102Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "Red Dev 13", "Silk Typhoon", "MURKY PANDA", "ATK233", "G0125", "Operation Exchange Marauder" ], "source_name": "MISPGALAXY:HAFNIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2704d770-43b4-4bc4-8a5a-05df87416848", "created_at": "2022-10-25T15:50:23.306305Z", "updated_at": "2026-04-10T02:00:05.296581Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "HAFNIUM", "Operation Exchange Marauder", "Silk Typhoon" ], "source_name": "MITRE:HAFNIUM", "tools": [ "Tarrask", "ASPXSpy", "Impacket", "PsExec", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "529c1ae9-4579-4245-86a6-20f4563a695d", "created_at": "2022-10-25T16:07:23.702006Z", "updated_at": "2026-04-10T02:00:04.71708Z", "deleted_at": null, "main_name": "Hafnium", "aliases": [ "G0125", "Murky Panda", "Red Dev 13", "Silk Typhoon" ], "source_name": "ETDA:Hafnium", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434239, "ts_updated_at": 1775826687, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d241c0219abdc86fb9ac698268dd8512c8037178.pdf", "text": "https://archive.orkl.eu/d241c0219abdc86fb9ac698268dd8512c8037178.txt", "img": "https://archive.orkl.eu/d241c0219abdc86fb9ac698268dd8512c8037178.jpg" } }