In a key component of the Windows , cybersecurity researchers identified four different vulnerabilities that could be exploited by local attackers to increase privileges and erase logs to conceal evidence of destructive activity.
The concerns have been identified in a linear known as “schtasks.” “exe,” which enables an executive to create, delete, comment, change, work, and finish scheduled tasks on a local or distant machine.
In a report released with The Hacker News, Cymulate security researcher Ruben Enkaoua reported that a” User Account Control ] bypass vulnerability has been discovered in Microsoft Windows, enabling attackers to bypass the User Account Control prompt and allowing them to execute high-privilege ( SYSTEM) commands without user consent.
Assailants you “upgrade their privileges and execute malicious payloads with Administrators ‘ rights, resulting in unauthorized access, data theft, or additional system compromise,” according to the article.
The issue, according to the cybersecurity firm, arises when an attacker uses Batch Logon to create a set task rather than an Interactive Token, leading to the task scheduler service’s grant of the running process the most permissible rights.
However, for this attack to succeed, it depends on the danger professional to obtain the password through some other means, such as by utilizing flaws like or by obtaining the password through an NTLMv2 cipher after authenticating against an SMB server.
A low-privileged users can use the schtasks as a result of this problem. To obtain the maximum privileges, executable .exe binary and act as a member of organizations like officials, backup operators, and performance log customers with a known password.
The membership of a scheduled activity using an XML file and a Batch Logon authentication method can also help to implement two defense evasion strategies, including overwriting the and essentially erasing overflow Security Logs.
This involves specifically registering a process with an artist and having the name” A” repeated three times in the XML file, leading to the overwriting of the entire XML activity log description. The behavior could then be increased to completely replace the entire” C: WindowsSystem32winevtlogs Security.” “evtx” collection
” The Task Scheduler is a very intriguing aspect. Available by anyone who is ready to juggle between the permissions, the process integration, and user impersonations by creating a job initiated by a SYSTEM running service, Enkaoua said.
” The second risk that has been identified is not just a UAC Bypass. It offers far more than that: it basically allows you to use the /ru and /rp flags to gain the most privileges on the work execution session while impersonating any user with its CLI password.