Giters

wit0k / tarrask

Tarrask: Hafnium's persistence via hidden scheduled task

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Tarrask

Tarrask: Hafnium's persistence via hidden scheduled task

Research

Today I decided to start paying my Cyber Security community debt and contribute into Forensics and Threat Hunting space. I am going to share possibly an unusual way of hunting for hidden Windows 10 scheduled tasks in memory, allowing to detect tasks having no registry nor disk artifacts.

image

Feel free to look at my quick research #Tarrask - Deep dive - Hidden Scheduled Task, it consist of following topics:

  • Scheduled Task Artifacts
  • Hiding Scheduled Task
  • Detecting Hidden Scheduled Tasks
  • Analyzing Hidden Scheduled Tasks
  • Tools (TaskHunter & GetTasks)
  • Key Takeaways

P.S The tools are quickly written PoC scripts, only tested few Windows 10 systems. Additionally, you would spot that Microsoft Windows itself is using few hidden tasks by default.

About

Tarrask: Hafnium's persistence via hidden scheduled task

License:MIT License

Languages

Language:PowerShell 53.5%Language:Python 46.5%