Microsoft details how China-linked crew's malware hides scheduled Windows tasks The China-linked Hafnium cyber-gang is using a strain of malware to maintain a persistent presence in compromised Windows systems by creating hidden tasks that maintain backdoor access even after reboots. Researchers within Microsoft's Detection and Response Team (DART) and Threat Intelligence Center (MTIC) spotted the …
You're comparing phone cabins to potatoes.
The registry is much more than a cron table. It has good sides: it avoids having parameter files all over the file system and provide a common mean for all applications to easily save settings rather than having anyone designing its own.
Here the problem comes not from the registry, but from the task scheduler.
Imagine a Linux system where /etc was a mount of a filesystem type optimised for lots of small files. In essence, that's the registry.
Would that be so awful? Clearly not. Would people blame every configuration error on the underlying filesystem, rather than the end-user who wrote the wrong values into a file? Clearly.
To be fair having a central database instead of a zillion ini files makes a lot of sense.
Implementing it in the absolute worst way possible made no sense whatsoever.
Allowing it to have (easily spoofed) elevated execution rights goes beyond "no sense" all the way to "are you fucking mad?"
No all text files are created equal - some good, some cause more problems than they solve. But the issue here is the behaviour/ability to hide a scheduled task by removing the security descriptor registry values. If configuration was via text files, the same vulnerability would no doubt exist. As mentioned elsewhere, need to fix the GUI and schtasks. And in the short term, develop/use tools to scan scheduled tasks with missing security descriptors
I will guarantee that what happened was, there were no security descriptors.
Then they added security descriptors, and all the code was designed to expect ttem.
Then - a few days/months after release, they realised that legacy non-security descriptor jobs existed and were causing errors because NULLs weren't expected.
So they removed the requirement for non-null descriptors.
BTDTGTTS
Now, if I were running that project, there would have been some sort of upgrade process INSIDE THE APP (so as you can't evade it) that at least created a default descriptor (maybe name+date) so that future code worked properly.
"It can be time-consuming if done manually, and there are automated tools that can examine the registry to highlight or automatically remove suspicious entries."
@ElReg: Would you mind being more specific about such tools?
Moreover, the MS blog only mentions Microsoft 365 Defender (Microsoft Defender for Endpoint) or Microsoft Sentinel as detection tools. What about the plain vanilla MS Defender Antivirus?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
