0:00

This week, I'm going

0:02

to clarify the confusion

0:05

around three similar Windows

0:07

artifacts. Welcome to the

0:09

Digital Forensics Survival Part.

0:12

This is episode 470.

0:14

Hello everyone. I'm Michael

0:16

here host. Welcome to the

0:19

show. This week, I'm talking

0:21

about the three Casks hosts

0:23

that you find on Windows

0:25

Systems. Now these are Windows

0:28

Core files. So, not only

0:30

do they have similar names,

0:32

but they have similar functionality.

0:34

So, there's the potential for

0:36

lots of confusion, which may

0:39

allow attackers to leverage these

0:41

similarities to mask their malicious

0:43

behavior. My goal in this

0:46

episode is to demystify the

0:48

three different task hosts and

0:50

provide the necessary insight for

0:52

proper triage if any of

0:54

these files come up during

0:57

your investigations. EDRs,

0:59

XDRs, and remote ops

1:01

don't collect all the

1:03

DFIR artifacts you need

1:05

for incident response, but

1:08

they can be leveraged

1:10

to collect more using

1:12

cybertriage. Visit cybertriage.com/EDR to

1:14

learn more about how

1:16

to collect more DFIR

1:18

artifacts using your EDR

1:20

XDR or remote ops

1:22

system. CyberTriash automatically surfaces

1:24

relevant startup items, user

1:26

log-ins, and processes so

1:28

you can spend more

1:30

time investigating and less

1:33

time wrangling data. Once

1:35

again, visit cybertriash.com slash

1:37

EDR to learn more. Unlocked the

1:39

Gold Standard in Mac Forensics

1:41

Training with Samuri. Their courses

1:44

are the longest running highest

1:46

rated, truly vendor neutral training.

1:48

which ensures that you are

1:50

equipped with the skills you

1:52

need free from sales pitches.

1:55

Designed by Steve Whalen, the

1:57

mastermind behind Paladin, Recon, and

1:59

Telino, empowered thousands of

2:01

examiners globally. Plus, Samuri

2:04

offers the certified forensic

2:06

MAC examiner, the only

2:08

vendor-neutral certification in the

2:10

industry. Dive deep into

2:12

Mac forensics with the

2:14

experts. Learn more at

2:17

Samuri.com. Facing

2:19

an overflow of evidence

2:21

drives, image 26 drives

2:23

at a time with

2:25

a tola task force

2:28

too. This high-performance hardware

2:30

imager reassembles unknown rate

2:32

arrays, supports damaged drives,

2:34

and can be integrated

2:36

into your workflow via

2:38

API. Learn more at

2:40

at atola.com. Once again,

2:42

that's a-T-O-L-A.com. The

2:46

Windows operating system has these

2:49

three core files. They're called

2:51

Task Host, Task Host, W,

2:54

and Task Host, E-X. Now,

2:56

these are all different processes

2:58

that serve different purposes, but

3:01

you can see by the

3:03

name, and each of these

3:06

are all one word, where

3:08

to someone who doesn't know

3:11

much about them, they may

3:13

appear confusing, or you may

3:16

mistake one for the other.

3:18

So what I'm going to

3:21

do in this episode is

3:23

talk about each one in

3:26

turn, talk about it from

3:28

the position of its purpose,

3:30

forensic considerations, and anything else

3:33

that you should know about

3:35

it that could add the

3:38

correct context. So if it

3:40

does come up during your

3:43

investigations, you'll have at least

3:45

the fundamental background information in

3:48

order to proceed and If

3:50

someone is trying to leverage

3:53

the confusion against you, you'll

3:55

stand a better chance of

3:58

picking that out. I'll start

4:00

by giving you a high

4:02

level overview of each and

4:05

then we'll dive. into each

4:07

one in more detail. I'll

4:10

start with task host. So

4:12

the full file name is

4:15

task host, which is one

4:17

word, EXE. This is the

4:20

executable file for the task

4:22

scheduler engine, which is responsible

4:25

for managing scheduled tasks on

4:27

your system. Then we have

4:30

task host W. And this

4:32

is the Windows. host process

4:34

for tasks. And then the

4:37

last one is task host

4:39

eX. Again all one word

4:42

dot eXe and this is

4:44

the task host process extension

4:47

which is primarily associated with

4:49

calm infrastructure or component object

4:52

model infrastructure and provides a

4:54

hosting environment for certain system

4:57

services. All

4:59

right, let's dive a little

5:01

deeper starting with taskcoast. EXE.

5:04

Now again, it's purpose. It's

5:06

typically associated as the executable

5:09

for the task scheduler engine

5:11

on legacy Windows operating system.

5:14

So when you see taskcoast,

5:16

you should be thinking like

5:19

Windows 7, something along those

5:21

lines. And it manages schedule

5:24

tasks that run at designated

5:26

times, system events. or user

5:29

actions. For forensic considerations, okay,

5:31

this is going to be

5:34

found in the System 32

5:36

directory and the presence or

5:39

execution from any other directory

5:41

can indicate malicious tampering or

5:44

masquerading attempt. So if you

5:46

see task host coming out

5:49

of, you know, app data

5:51

or attempt directory or user

5:54

directory, that's not normal. That's

5:56

not normal. That's worth. further

5:59

investigation. Because this

6:01

is a Windows Core file,

6:03

it is digitally signed by

6:05

Microsoft. So, if this is

6:07

coming up, like on a

6:09

system, one of the ways

6:11

that you can check to

6:13

see if it's been tampered

6:16

with or look for signs

6:18

of compromise would be to

6:20

verify the signature against the

6:22

official Microsoft certificate. And of

6:24

course, any discrepancies or any

6:26

unsigned versions may signal compromise

6:28

may signal compromise. Another

6:31

thing to look at

6:33

is its process behavior.

6:35

Normal usage typically involves

6:37

minimal CPU and memory

6:39

resources. So a spike

6:41

in resource consumption or

6:43

abnormal network connections could

6:45

indicate injection or malicious

6:47

code piggybacking on the

6:50

process. And then of

6:52

course any abnormal command

6:54

line parameters passed. to

6:56

taskcoast. EXE which would

6:58

be apparent in event

7:00

logs or process listings

7:02

can signal potential malicious

7:04

activity. All right this

7:06

would be an attacker

7:08

using taskcoast to launch

7:10

hidden tasks or execute

7:12

scripts. Remember taskcoast. EXE

7:14

is tied closely to

7:16

the Windows task scheduler.

7:18

So during your investigation

7:20

You should review the

7:23

task scheduler library, which

7:25

is in typically see

7:27

Windows System 32 tasks

7:29

directory. Go to that

7:31

directory and examine any

7:33

newly created or modified

7:35

tasks. And what you're

7:37

looking for is malicious

7:39

scripts or executables. There's

7:41

also a registry key

7:43

called Schedule tasks. So

7:45

that's scheduled with an

7:47

ED tasks. plural. That's

7:49

all one word. And

7:51

you can find that

7:53

in the software registry

7:55

hive. So it's software

7:58

Microsoft Windows. current version

8:00

schedule and task cache.

8:02

And this can hold

8:04

valuable timestamps and other

8:06

references. Moving on to

8:08

task host W.E.X.E. The

8:10

purpose of this file

8:12

is while it acts

8:14

or it is the

8:16

Windows host process for

8:18

tasks and it's generally

8:20

seen on your more

8:22

modern systems. So this

8:24

is going to be

8:26

Windows 8, if you

8:28

want to consider Windows

8:30

8, modern, and up.

8:33

So, you know, your

8:35

present-day Windows Systems Task

8:37

Host W.EX.C. is what

8:39

you expect to find.

8:41

It's associated with the

8:43

Universal Windows platform, which

8:45

is abbreviated as UWP

8:47

apps, and it'll handle

8:49

background tasks for these

8:51

applications. Now this too

8:53

resides in the System

8:55

32 directory. It's one

8:57

of those core Windows

8:59

files. So you can

9:01

confirm file hashes and

9:03

digital signatures as one

9:06

of your due diligence

9:08

checks for compromise. Now

9:10

some Windows 10 and

9:12

11 systems might have

9:14

different version numbers for

9:16

task host W. So

9:18

you want to ensure

9:20

consistency with the installed

9:22

OS build. or there's

9:24

something to call out

9:26

there. Now, to give

9:28

you an application scenario,

9:30

you know, I mentioned

9:32

the Universal Windows platform,

9:34

those applications, like what

9:36

does that mean? Or

9:38

what can that mean

9:41

for your investigation? Well,

9:43

a surge in usage

9:45

or spurious triggers for

9:47

task host W could

9:49

point to malicious or

9:51

Trojanized UWP applications. If

9:53

investigating app-based malware, examine

9:55

the appex package. logs,

9:57

Microsoft store logs, and

9:59

associated tasks tied to

10:01

Task Coast W. You

10:03

can also do behavior

10:05

analysis. Under normal conditions,

10:07

Task Coast W is

10:09

lightly used. Extended running

10:11

times, excessive CPU or

10:13

memory usage, or unusual

10:16

DLL injections are all

10:18

red flags. And you

10:20

also want to check

10:22

for any nonstandard command

10:24

line arguments or suspicious

10:26

network connections in correlation

10:28

with this process. Now

10:30

there are event logs

10:32

and background tasks that

10:34

you want to be

10:36

aware of. So you

10:38

want to review your

10:40

event logs of course,

10:42

your applications and your

10:44

services. You'll see the

10:46

task schedule or for

10:49

instance. You're looking for

10:51

any unexpected background tasks

10:53

triggered under task host.

10:55

W. And then you

10:57

can cross-reference the logs

10:59

against known system or

11:01

user-initiated actions to further

11:03

identify these anomalies. That

11:05

then leaves us with

11:07

task host eX.E. This

11:09

is the Windows Task

11:11

Host Process Extension, generally

11:13

introduced in newer versions

11:15

of Windows. So again

11:17

we're talking Windows 8

11:19

and above. It's primarily

11:21

connected with component object

11:24

model infrastructure or calm

11:26

infrastructure and it provides

11:28

a hosting environment for

11:30

certain system services and

11:32

DLLs that need isolation.

11:34

So when this, if

11:36

this file comes up

11:38

during an investigation, one

11:40

of the things that

11:42

you should be considering

11:44

is the isolation and

11:46

the calm usage. Because

11:48

it runs DLLs in

11:50

an isolated manner, abnormal

11:52

DLL injections or registry

11:54

modifications that point to

11:56

unusual DLL path, may

11:59

be suspicious. You want

12:01

to ensure that task

12:03

host eX itself of

12:05

course is legitimate. It's

12:07

a Microsoft Sign

12:09

binary so you can check

12:11

the signature and of course

12:13

this lives in the System

12:15

32 directory being again a

12:17

core Windows file so anything

12:20

outside of that directory is

12:22

of interest. You want to

12:24

be aware of process spawns

12:26

in DLL hosting. So you

12:29

want to investigate any child

12:31

processes spawned by Taskhost EX.

12:33

Malicious actors might attempt to

12:35

piggyback or side load malicious

12:38

DLLs. You want to check

12:40

the module list in tools

12:42

like Process Explorer or

12:45

even conduct memory forensics

12:47

using tools like volatility

12:49

to identify non-native or

12:51

suspicious DLLs that are

12:53

attached to it. Also

12:56

look for performance and network

12:58

calls. Typically, like the others,

13:00

this is a low resource

13:02

file that's going to have

13:04

a low resource footprint. Sustained

13:07

CPU spikes or unexpected

13:09

network activity from Taskco's

13:12

EX can indicate intrusion

13:14

or process hollowing.

13:16

Investigate network connections

13:19

if they're present as

13:21

the legitimate process rarely

13:24

initiates. Outbound traffic. And

13:26

then you have the registry keys

13:28

and the calm configuration.

13:30

Look for suspicious changes

13:33

in the software hive, which

13:35

is going to be software

13:37

Microsoft, Windows NT, current version,

13:40

image file execution

13:42

options, that might redirect

13:44

Taskos EX to malicious

13:46

executables. And then there's

13:48

also the calm registration

13:50

keys, which is in

13:52

the software hive. It's

13:54

called CLSID and you're

13:56

looking for anomalies referencing

13:58

Task Coast EX. or

14:00

suspicious DLL paths. So then

14:02

for some basic general investigative

14:04

best practices, comparing file hashes

14:06

in certificates is always a

14:08

good one if you suspect

14:10

or one of these comes

14:12

up. You want to see

14:14

if it's legitimate or not.

14:16

That's one of the go-to

14:18

methods. File path and stamps.

14:20

I've mentioned the file path

14:22

already. Those time stamps are

14:24

important. You know, it's a

14:26

Windows Core file, so you

14:28

expect it to have a

14:30

time stamp that is in

14:33

alignment with the other Windows

14:35

Core files. Name and path

14:37

masquerading. So attackers may often

14:39

rename malware as Task Coast

14:41

or Task Coast W or

14:43

Task Coast EX and put

14:45

them in those nonstandard directories.

14:47

Again, this is playing on

14:49

the confusion. And then of

14:51

course, as we all know,

14:53

as we all know, computer

14:55

forensic artifacts as a category

14:57

in general are a moving

14:59

target. They change and they

15:01

can change or slightly they

15:03

can change depending on the

15:05

platform or the version of

15:07

the platform that they're running

15:09

on. So my last bit

15:11

of advice is of course

15:13

to do some validation testing.

15:15

So that would be on

15:17

your test systems. Just look

15:19

at how many task hosts

15:21

you have running under different

15:23

circumstances. doing some baselines. If

15:26

you have access to security

15:28

appliances that can look at

15:30

processes running on systems and

15:32

you can do a little

15:34

proactive threat hunting, a little

15:36

proactive baselining, start looking at

15:38

your Windows servers or even

15:40

endpoints and start looking at

15:42

what you think could be

15:44

normal. And this way here,

15:46

you're building up your knowledge

15:48

base. So that if they

15:50

do come up again during

15:52

investigations, there's less confusion on

15:54

your part, right? You've already

15:56

done a little homework. So

15:58

you have. sort of like

16:00

a foundational level of expectations,

16:02

or at least you're in

16:04

a better position to start

16:06

noticing things that do not

16:08

look normal, or they're not

16:10

at what you expect. There

16:12

you have at a breakdown

16:14

of the three Windows Task

16:16

Hosts. I hope you found

16:19

this information useful. As always,

16:21

don't forget to check out

16:23

the SDF training series. This

16:25

is Online On Demand. computer

16:27

forensic training and it's aimed

16:29

at teaching you a valuable

16:31

skill in about an hour

16:33

or so. The classes are

16:35

all on you to me.

16:37

So go to you to

16:39

me that's u-d-e-m-y.com. Just type

16:41

in sDF in the search

16:43

bar. The classes come up.

16:45

You can also get access

16:47

to them via the website

16:49

which is security tx.com/sDF. Any

16:51

patronage is much appreciated and

16:53

it's one of the ways

16:55

that you can help support

16:57

the show. With that, it's

16:59

time once again to wrap

17:01

up another episode. As always,

17:03

thanks for listening.