Cybersecurity researchers have uncovered four new vulnerabilities in a core Windows component that can enable local attackers to escalate privileges and erase security logs. The flaws, found in the Windows Task Scheduler binary schtasks.exe, allow threat actors to run SYSTEM-level commands and evade detection by tampering with audit trails.
The discoveries were made by Ruben Enkaoua, a security researcher at Cymulate, and shared in a detailed report published by The Hacker News.
How Attackers Exploit Task Scheduler
The vulnerabilities revolve around the misuse of schtasks.exe, a binary used to create and manage scheduled tasks on local or remote systems. The binary, typically used by administrators, can also be abused to bypass User Account Control (UAC), allowing unapproved SYSTEM-level command execution.
According to Cymulate, the flaw lies in how tasks are registered. If an attacker creates a scheduled task using Batch Logon (requiring a password) instead of an Interactive Token, the task is executed with maximum allowed privileges.
To leverage this, attackers must first gain access to a password. This could be achieved by cracking an NTLMv2 hash or exploiting existing vulnerabilities such as CVE-2023-21726. Once the password is obtained, a low-privileged user can impersonate members of privileged groups — like Administrators or Backup Operators — during task execution using /ru and /rp flags.
This vulnerability is not just a UAC bypass; it provides a direct path to privilege escalation through impersonation. The attacker essentially hijacks elevated task privileges with a single command-line instruction.
Evading Detection by Overwriting Windows Event Logs
In addition to privilege escalation, the flaw supports two defense evasion techniques that involve log manipulation. By registering a task with an XML file containing a large “author” field, attackers can overwrite the Task Event Log.
For example, setting an author name with 3,500 “A” characters corrupts the XML log entry. This action compromises the integrity of task logs and can be further extended to overwrite the entire Security.evtx log file — located at C:\Windows\System32\winevt\logs\Security.evtx.
Such an overwrite effectively erases historical event records, allowing malicious activity to go unnoticed. This form of audit trail deletion makes incident response and forensics significantly harder.
Enkaoua noted the severity of the issue, stating: “Task Scheduler is accessible to all users, yet it runs under SYSTEM. It bridges user impersonation, process integrity, and privilege juggling.”
The key concern is how schtasks.exe, when used with specific flags, allows execution under impersonated identities. This capability turns a built-in Windows feature into a serious security risk when misused.
