A C# port from Invoke-GhostTask

Tampering with Scheduled Task has been known and already worked with, in simply editing the tasks using the GUI interface or just the schtasks command when this happens they will leave an EventLog behind (4698)

When editing a task this will also leave an EventLog behind (4702) we can see in the screenshot below that there was an update on a Task

Scheduled Tasks can be edited in a more complicated way via the Registry Keys, that's where Invoke-GhostTask by @SchrodingersAV comes in handy. SharpGhostTask basically uses the method from Invoke-GhostTask to edit the Registry Keys manipulating the binary values of the Task that is targetted.

We can see below how this looks in the Registry Keys

SharpGhostTask will replace the binary value without breaking the rest of the Scheduled Task. This way replacing it with a payload that we control, in the following example we see the replaced binary value this time pointing to calc

By replacing this value via Registry Keys we also avoid the (4702) log from the Event Viewer, but monitoring the Registry Keys can be a giveaway. And this also comes with Challenges you will need SYSTEM Access to be able to edit these Registry Key Tasks. I've had luck executing the Task once it was changed, but to be safe a Restart is required.