Cyber security researchers have expanded four separate weaknesses in a main component of the Windows Task Scheduling Services, which can be exploited to erase the log to increase privileges by local attackers and to cover evidence of malicious activities.
The issues have been exposed in a binary called “schtasks.exe”, which enables a administrator to create, remove, remove, query, change, run and end on a local or remote computer.
“A [User Account Control] The Microsoft Windows has been found to have a bypass vulnerability, able to bypass the attackers user account control prompts, allowing them to execute high-lord (system) command without user’s approval, “Safety researcher Ruben Naka said in a report shared with hacker news.
“By exploiting this weakness, the attackers can elevate their privileges and run malicious payloads with the rights of the administrators, leading to unauthorized access, data theft, or further system compromises.”
The problem, the cyber security company said, when an attacker creates a scheduled task using a batch logon (ie, a password) contrary to an interactive token, which provides the task scheduler service to provide maximum permitted rights to the running process.
However, for this attack to work, it rests on the actor with a danger receiving passwords through some other means, such as certifying against the SMB server or cracking the NTLMV2 hash after exploiting flaws such as CVE -2023-21726.
A pure result of this issue is that a low-charitable user can take advantage of schtasks.exe binary and copy a member of groups such as administrators, backup operators and performance log users with a known password to obtain maximum permissible privileges.
Registration of a scheduled work by using a batch logon certification method with an XML file can also pave the way for two defense stolen techniques that make it possible to refer the work event log, effectively eradicate the audit trails of pre -activity, as well as overflow safety logs.
In particular, it involves registering a task with a name with a writer, saying, where Akshar A is repeated 3,500 times, in the XML file, the entire XML work log details are reflected. This behavior can then be extended to the entire “C: \ Windows \ System32 \ Widevt \ Logs \ Security.evtx” to further reflected the database.
“Task scheduler is a very interesting component. Anyone ready to create a task was accessible, a system running by a running service, juggling, procedure integrated and user copying among the privileges,” said Nacaua.
“The first reported vulnerability is not only a UAC bypass. It is much higher than this: it is essentially a way to replicate any user with its password from CLI and to get maximum privileges provided on the performance session, with /RU and RP flags.”
