Windows Task Scheduler


So helpful at disclosing credentials, even when you ask it not to

It’s not every day you come across an issue that Microsoft deems worthy of a patch, especially when your day job is sifting through logs to try and find indicators of compromise.

However, while testing some techniques to detect password scraping from memory, that’s the position we found ourselves in. The first thing we had to confirm was whether the issue was present on all our Windows test servers as we were worried we had configured something in error on the server where the flaw was discovered. Once confirmed that we could reproduce the issue on multiple operating systems including a fully patch Windows Server 2016 environment we had the confidence to submit the issue to Microsoft.

Microsoft has a simple process to follow in order to submit a security vulnerability and ask for the following information as a start, included is a summary of our submission;

  • Type of issue (buffer overflow, SQL injection, cross-site scripting, etc.)
    Plaintext/Easily Reversible credentials stored in memory
  • Product and version that contains the bug, or URL if for an online service
    Tested on Windows Server 2012R2 and Windows Server 2016
  • Service packs, security updates, or other updates for the product you have installed
    Up to date with security patches.
  • Any special configuration required to reproduce the issue
  • Step-by-step instructions to reproduce the issue on a fresh install
    The steps to reproduce this issue are described below.
  • Proof-of-concept or exploit code
    No code required for this.
  • Impact of the issue, including how an attacker could exploit the issue

Click here to read full article.