S1011 Tarrask
Tarrask is malware that has been used by HAFNIUM since at least August 2021. Tarrask was designed to evade digital defenses and maintain persistence by generating concealed scheduled tasks.1
| Item | Value |
|---|---|
| ID | S1011 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 01 June 2022 |
| Last Modified | 18 October 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1134 | Access Token Manipulation | - |
| enterprise | T1134.001 | Token Impersonation/Theft | Tarrask leverages token theft to obtain lsass.exe security permissions.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Tarrask may abuse the Windows schtasks command-line tool to create “hidden” scheduled tasks.1 |
| enterprise | T1564 | Hide Artifacts | Tarrask is able to create “hidden” scheduled tasks by deleting the Security Descriptor (SD) registry value.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.004 | Masquerade Task or Service | Tarrask creates a scheduled task called “WinUpdate” to re-establish any dropped C2 connections.1 |
| enterprise | T1036.005 | Match Legitimate Name or Location | Tarrask has masqueraded as executable files such as winupdate.exe, date.exe, or win.exe.1 |
| enterprise | T1112 | Modify Registry | Tarrask is able to delete the Security Descriptor (SD) registry subkey in order to “hide” scheduled tasks.1 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | Tarrask is able to create “hidden” scheduled tasks for persistence.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0125 | HAFNIUM | 1 |