Mechanism of Evasion
Mechanism of Evasion
Task Creation: A malicious or bypass-related task is created using the Task Scheduler GUI,
schtasks.execommand-line tool, or PowerShell cmdlets (Register-ScheduledTask).Payload Execution: The task is configured to execute a specific action, which could be:
Launching a cheat loader or the cheat itself.
Running a script (
.bat,.ps1,.vbs) that performs malicious actions (e.g., deletes logs, downloads further payloads, disables security).Executing system commands (e.g., using
cmd.exe /c ...orpowershell.exe -Command ...).
Trigger Configuration: The critical part for evasion is the trigger. Tasks might be set to run:
At system startup or At logon: Executes the payload early, potentially before all monitoring or screensharing tools are active.
On a specific event: Triggered by system events that might occur during gameplay.
At a specific time: Less common for direct bypass during SS, more for persistence.
Execution Context & Privileges: Tasks can be configured to run under different user accounts, including the SYSTEM account, potentially granting the payload elevated privileges needed for certain bypass actions (like stopping critical services).
Bypassing Monitoring:
Execution Source: The task is launched by the Task Scheduler service (
taskeng.exeor hosted withinsvchost.exe), not directly by the user double-clicking an icon. This can sometimes bypass simple execution logging focused on direct user initiation. Prefetch might only logmmc.exe(Task Scheduler GUI) orschtasks.exeif used for creation, or the scheduler service itself, rather than the payload directly, depending on how the action is configured.Timing: Startup/logon triggers can execute code before typical screenshare monitoring begins.
Obfuscation: Task names, descriptions, and the paths/arguments within the task's action can be disguised to look legitimate (e.g., mimicking update tasks) to evade manual inspection. Unicode characters might also be used.
Last updated