Tarrask is malware that has been used by HAFNIUM since at least August 2021. Tarrask was designed to evade digital defenses and maintain persistence by generating concealed scheduled tasks.[1]

ID: S1011
Platforms: Windows
Contributors: Sittikorn Sangrattanapitak
Version: 1.0
Created: 01 June 2022
Last Modified: 18 October 2022

Techniques Used

Domain ID Name Use
Enterprise T1134 .001 Access Token Manipulation: Token Impersonation/Theft

Tarrask leverages token theft to obtain lsass.exe security permissions.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Tarrask may abuse the Windows schtasks command-line tool to create "hidden" scheduled tasks.[1]

Enterprise T1564 Hide Artifacts

Tarrask is able to create "hidden" scheduled tasks by deleting the Security Descriptor (SD) registry value.[1]

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

Tarrask creates a scheduled task called "WinUpdate" to re-establish any dropped C2 connections.[1]

.005 Masquerading: Match Legitimate Name or Location

Tarrask has masqueraded as executable files such as winupdate.exe, date.exe, or win.exe.[1]

Enterprise T1112 Modify Registry

Tarrask is able to delete the Security Descriptor (SD) registry subkey in order to "hide" scheduled tasks.[1]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Tarrask is able to create "hidden" scheduled tasks for persistence.[1]

Groups That Use This Software

ID Name References