S1011: Tarrask
Analyst context for executives and security teams
Tarrask matters because it represents Windows malware focused on staying hidden through concealed scheduled tasks. For leaders, the practical issue is not only malware identification; it is whether the organization can prove that scheduled-task persistence, registry changes, and command-shell execution are visible enough for SOC and incident response teams to find stealthy persistence before it becomes a long-running compromise.
Executive priority
Prioritize validation of Windows persistence monitoring and response playbooks. ATT&CK links Tarrask to HAFNIUM and to techniques for scheduled tasks, masquerading, registry modification, command shell execution, token impersonation/theft, and hidden artifacts. That makes it relevant to resilience planning, audit evidence for endpoint monitoring, and IR readiness for cases where an attacker attempts to remain present while blending into normal administration.
Technical view
For Windows environments, defenders should validate coverage around T1053.005 Scheduled Task, T1036.004 Masquerade Task or Service, T1112 Modify Registry, T1059.003 Windows Command Shell, T1134.001 Token Impersonation/Theft, and hiding or naming behaviors associated with T1564 and T1036.005. Because the official ATT&CK object provides no detection guidance, teams should base detections on local baselines: known-good scheduled tasks, expected task names/descriptions, authorized administrative command usage, and approved registry changes related to persistence.
Likely telemetry
- Windows scheduled task creation, modification, deletion, and execution records
- Task Scheduler operational logs and task definition metadata such as task name, description, trigger, action, and run context
- Process creation and command-line telemetry for cmd.exe, schtasks, reg, and other administrative utilities when used for task or registry changes
- Windows Registry modification telemetry for persistence-relevant keys and task-related changes
- Endpoint security events showing hidden or concealed artifacts where available
Detection direction
- Build or validate baselines of legitimate scheduled tasks by host role, owner, trigger, action, and naming pattern; alert on new or changed tasks that mimic trusted names or lack a clear business owner.
- Correlate scheduled-task changes with command-shell execution and registry modifications, especially when performed outside normal administration windows or by unusual accounts.
- Tune carefully for administrative false positives: software deployment, endpoint management, backup tools, and IT automation commonly create scheduled tasks and modify registry values.
- Review visibility gaps: concealed or hidden tasks may not be obvious in standard administrative views, so incident response should compare multiple evidence sources rather than relying on a single console.
- Use the HAFNIUM relationship as threat-intelligence context, not as proof of attribution in any local incident.
Mitigation priorities
- Maintain an approved inventory of scheduled tasks on critical Windows systems and review deviations as part of endpoint hardening and compliance evidence.
- Restrict who can create or modify scheduled tasks and persistence-related registry locations; ensure privileged administrative activity is logged and reviewed.
- Harden endpoint monitoring to collect command-line, task, registry, and privilege-context evidence needed for investigation.
- Include scheduled-task persistence and hidden-artifact checks in Windows incident response triage procedures.
- Periodically test SOC content and IR runbooks against benign simulations of scheduled-task creation and registry modification to confirm telemetry and alert routing.
Analyst notes and limits
The object is a malware entry for Tarrask, described by ATT&CK as malware used by HAFNIUM since at least August 2021 and designed to evade defenses and maintain persistence by generating concealed scheduled tasks. The highest-value defensive takeaway is to validate Windows persistence visibility and administrative-change governance rather than focus only on malware naming.
ATT&CK provides no official detection text for this object, and the supplied data does not include indicators, hashes, affected products, or guaranteed detection logic. Local baselines, endpoint logging configuration, and incident evidence are required to determine exposure or coverage.
Tarrask
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Tarrask has masqueraded as executable files such as `winupdate.exe`, `date.exe`, or `win.exe`.CitationTarrask scheduled task |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Tarrask may abuse the Windows schtasks command-line tool to create "hidden" scheduled tasks.CitationTarrask scheduled task |
| Enterprise | T1134.001 | Token Impersonation/Theft Sub-technique | Tarrask leverages token theft to obtain `lsass.exe` security permissions.CitationTarrask scheduled task |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | Tarrask creates a scheduled task called “WinUpdate” to re-establish any dropped C2 connections.CitationTarrask scheduled task |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Tarrask is able to create “hidden” scheduled tasks for persistence.CitationTarrask scheduled task |
| Enterprise | T1112 | Modify Registry | Tarrask is able to delete the Security Descriptor (`SD`) registry subkey in order to “hide” scheduled tasks.CitationTarrask scheduled task |
| Enterprise | T1564 | Hide Artifacts | Tarrask is able to create “hidden” scheduled tasks by deleting the Security Descriptor (`SD`) registry value.CitationTarrask scheduled task |
Groups, software, and campaigns
G0125: HAFNIUM
HAFNIUM is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. HAFNIUM primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. HAFNIUM has targeted remote management tools and cloud software for intial access and has demonstrated an ability to quickly operationalize exploits for identified vulnerabilities in edge devices.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 0365bf8b1c3d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Tarrask scheduled task
Microsoft Threat Intelligence Team & Detection and Response Team . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion. Retrieved June 1, 2022.
Open source URL -
[2]
mitre-attack S1011Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.