Skip to content

S1011 Tarrask

Tarrask is malware that has been used by HAFNIUM since at least August 2021. Tarrask was designed to evade digital defenses and maintain persistence by generating concealed scheduled tasks.1

Item Value
ID S1011
Associated Names
Version 1.0
Created 01 June 2022
Last Modified 18 October 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1134 Access Token Manipulation -
enterprise T1134.001 Token Impersonation/Theft Tarrask leverages token theft to obtain lsass.exe security permissions.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Tarrask may abuse the Windows schtasks command-line tool to create “hidden” scheduled tasks.1
enterprise T1564 Hide Artifacts Tarrask is able to create “hidden” scheduled tasks by deleting the Security Descriptor (SD) registry value.1
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service Tarrask creates a scheduled task called “WinUpdate” to re-establish any dropped C2 connections.1
enterprise T1036.005 Match Legitimate Name or Location Tarrask has masqueraded as executable files such as winupdate.exe, date.exe, or win.exe.1
enterprise T1112 Modify Registry Tarrask is able to delete the Security Descriptor (SD) registry subkey in order to “hide” scheduled tasks.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Tarrask is able to create “hidden” scheduled tasks for persistence.1

Groups That Use This Software

ID Name References