A new tool to hide the existence of scheduled tasks is being used by the Chinese-backed Hafnium group, according to recently released research by Microsoft. Hafnium is a group believed to be state-sponsored in China and who primarily targets entities in the United States across a number of industry sectors.
The tool, dubbed Tarrask, uses a previously unknown Windows bug to hide tasks from the schtasks.exe executable and Task Scheduler. It does this by deleting the associated Security Descriptor registry value that is created automatically upon task creation. If this registry key is deleted, the only way to view the scheduled task is via the Registry, allowing the threat actor to hide the existence of its persistence mechanism in an effective manner. Not only does it prevent the task from being viewable using normal processes, it also prevents the deletion of the task unless executed under the context of the SYSTEM user.
Further deletion of Registry keys located in the same path could have allowed the threat actors to remove all on-disk artifacts associated with the task, while still allowing it to execute. However, according to Microsoft, this would only allow the task to run until the system rebooted, so it could be that the threat actors wanted their task to persist through reboots or were unaware of this additional capability.