InfoSec LAB

Aero_Scheduled_Tasks

Created: 2 min read

Scheduled Tasks

ps c:\Windows\system32> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft TaskName,TaskPath,State
 
TaskName                                                                       TaskPath    State
--------                                                                       --------    -----
OneDrive Reporting Task-S-1-5-21-3555993375-1320373569-1431083245-1001         \        Disabled
OneDrive Standalone Update Task-S-1-5-21-3555993375-1320373569-1431083245-1001 \        Disabled
Theme Exec                                                                     \         Running

a none default scheduled task has been identified; \Theme Exec

\Theme Exec

PS C:\Windows\system32> schtasks /QUERY /TN "\Theme Exec" /V /FO LIST
 
Folder: \
HostName:                             AERO
TaskName:                             \Theme Exec
Next Run Time:                        N/A
Status:                               Running
Logon Mode:                           Interactive only
Last Run Time:                        1/16/2024 3:14:51 AM
Last Result:                          -2147020576
Author:                               AERO\sam.emerson
Task To Run:                          powershell.exe -ep bypass -NoExit -file C:\Users\sam.emerson\Documents\watchdog.ps1
Start In:                             N/A
Comment:                              N/A
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:                     Stop On Battery Mode
Run As User:                          sam.emerson
Delete Task If Not Rescheduled:       Disabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        At logon time
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

powershell.exe -ep bypass -NoExit -file C:\Users\sam.emerson\Documents\watchdog.ps1

watchdog.ps1

ps c:\Windows\system32> cat C:\Users\sam.emerson\Documents\watchdog.ps1
$directory = "c:\inetpub\aero\uploads"
 
function New-FileCreated {
    param($path)
    if (Get-Process -Name SystemSettings -ea SilentlyContinue){
        Stop-Process -name SystemSettings -Force
        }
    Start-Process -FilePath $path; sleep 15
    Remove-Item -Force $path
}
 
$action = {
    $path = $Event.SourceEventArgs.FullPath
    New-FileCreated -path $path
    write-host "new theme uploaded at:  $path"
}
 
$theme_watchdog = New-Object System.IO.FileSystemWatcher
$theme_watchdog.Path = $directory
$theme_watchdog.Filter = "*.theme"
$theme_watchdog.IncludeSubdirectories = $false
$theme_watchdog.EnableRaisingEvents = $true
 
Register-ObjectEvent $theme_watchdog Created -Action $action -SourceIdentifier theme_watchdog
 
 
$themepack_watchdog = New-Object System.IO.FileSystemWatcher
$themepack_watchdog.Path = $directory
$themepack_watchdog.Filter = "*.themepack"
$themepack_watchdog.IncludeSubdirectories = $false
$themepack_watchdog.EnableRaisingEvents = $true
 
Register-ObjectEvent $themepack_watchdog Created -Action $action -SourceIdentifier themepack_watchdog

the watchdog.ps1 file is a powershell script responsible for periodic execution of the uploaded *.theme and *.themepack files in the c:\inetpub\aero\uploads directory, which resulted in exploiting CVE-2023-38146

Interactive Graph View

Backlinks