From d72a0f0d2f9c45db6272180cb6f40bcdeb82e0cb Mon Sep 17 00:00:00 2001 From: Prakash Thakur Date: Sat, 20 Dec 2025 00:48:08 -0800 Subject: [PATCH 1/3] Add files via upload Executes registered background task logic within a trusted Windows host process. It Can be abused as a signed binary proxy execution context where attacker-controlled background tasks run under a benign Windows process, complicating detection and triage. --- BackgroundTaskHost.yml | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 BackgroundTaskHost.yml diff --git a/BackgroundTaskHost.yml b/BackgroundTaskHost.yml new file mode 100644 index 00000000..8ed2dac7 --- /dev/null +++ b/BackgroundTaskHost.yml @@ -0,0 +1,41 @@ +Name: BackgroundTaskHost.exe +Description: Microsoft-signed Windows component used to host and execute background tasks associated with applications and system components. While not malicious, it can act as a trusted execution context for attacker-controlled background logic. +Aliases: + - Alias: BackgroundTaskHost64.exe +Author: Microsoft Corporation +Created: 2012-10-26 +Commands: + - Command: BackgroundTaskHost.exe + Description: Executes registered background task logic within a trusted Windows host process. + Usecase: Can be abused as a signed binary proxy execution context where attacker-controlled background tasks run under a benign Windows process, complicating detection and triage. + Category: Execute + Privileges: User + MitreID: T1218 + OperatingSystem: Windows 10 1803, Windows 10 1909, Windows 11 + Tags: + - Technique: Signed Binary Proxy Execution + - Context: Execution Masquerading + + - Command: schtasks /create /tn UserSync /tr notepad.exe /sc onlogon /rl LIMITED + Description: Creates a user-level scheduled task that later executes within the BackgroundTaskHost.exe context. + Usecase: Demonstrates how non-administrative attackers can indirectly cause execution under BackgroundTaskHost.exe at user logon. + Category: Persistence + Privileges: User + MitreID: T1053 + OperatingSystem: Windows 10 All +Full_Path: + - Path: C:\Windows\System32\BackgroundTaskHost.exe + - Path: C:\Windows\SysWOW64\BackgroundTaskHost.exe +Code_Sample: + - Code: https://learn.microsoft.com/windows/uwp/launch-resume/support-your-app-with-background-tasks +Detection: + - IOC: BackgroundTaskHost.exe spawning unexpected child processes + - IOC: BackgroundTaskHost.exe executing shortly after user-level task creation + - Analysis: https://strontic.github.io/xcyclopedia/library/backgroundTaskHost.exe-8B50BFD5811304543479B20D0A281C56.html +Resources: + - Link: https://learn.microsoft.com/windows/uwp/launch-resume/background-tasks + - Link: https://attack.mitre.org/techniques/T1218/ + - Link: https://strontic.github.io/xcyclopedia/library/backgroundTaskHost.exe-8B50BFD5811304543479B20D0A281C56.html +Acknowledgement: + - Person: Prakash Munimsingh Thakur + Handle: 'https://github.com/4renSick'' From c2e4edbfae4c7ecea2a904589c0876da880744e4 Mon Sep 17 00:00:00 2001 From: Prakash Thakur Date: Sat, 20 Dec 2025 00:59:20 -0800 Subject: [PATCH 2/3] Revise BackgroundTaskHost.yml metadata Updated author information and created date for BackgroundTaskHost.exe. --- BackgroundTaskHost.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/BackgroundTaskHost.yml b/BackgroundTaskHost.yml index 8ed2dac7..5f700019 100644 --- a/BackgroundTaskHost.yml +++ b/BackgroundTaskHost.yml @@ -2,8 +2,8 @@ Name: BackgroundTaskHost.exe Description: Microsoft-signed Windows component used to host and execute background tasks associated with applications and system components. While not malicious, it can act as a trusted execution context for attacker-controlled background logic. Aliases: - Alias: BackgroundTaskHost64.exe -Author: Microsoft Corporation -Created: 2012-10-26 +Author: Prakash Thakur +Created: 2025-12-20 Commands: - Command: BackgroundTaskHost.exe Description: Executes registered background task logic within a trusted Windows host process. @@ -39,3 +39,4 @@ Resources: Acknowledgement: - Person: Prakash Munimsingh Thakur Handle: 'https://github.com/4renSick'' + From c5864d2d03b062c6c3793365b25d6a9ff2c49968 Mon Sep 17 00:00:00 2001 From: Prakash Thakur Date: Sat, 20 Dec 2025 01:00:12 -0800 Subject: [PATCH 3/3] Delete BackgroundTaskHost.yml --- BackgroundTaskHost.yml | 42 ------------------------------------------ 1 file changed, 42 deletions(-) delete mode 100644 BackgroundTaskHost.yml diff --git a/BackgroundTaskHost.yml b/BackgroundTaskHost.yml deleted file mode 100644 index 5f700019..00000000 --- a/BackgroundTaskHost.yml +++ /dev/null @@ -1,42 +0,0 @@ -Name: BackgroundTaskHost.exe -Description: Microsoft-signed Windows component used to host and execute background tasks associated with applications and system components. While not malicious, it can act as a trusted execution context for attacker-controlled background logic. -Aliases: - - Alias: BackgroundTaskHost64.exe -Author: Prakash Thakur -Created: 2025-12-20 -Commands: - - Command: BackgroundTaskHost.exe - Description: Executes registered background task logic within a trusted Windows host process. - Usecase: Can be abused as a signed binary proxy execution context where attacker-controlled background tasks run under a benign Windows process, complicating detection and triage. - Category: Execute - Privileges: User - MitreID: T1218 - OperatingSystem: Windows 10 1803, Windows 10 1909, Windows 11 - Tags: - - Technique: Signed Binary Proxy Execution - - Context: Execution Masquerading - - - Command: schtasks /create /tn UserSync /tr notepad.exe /sc onlogon /rl LIMITED - Description: Creates a user-level scheduled task that later executes within the BackgroundTaskHost.exe context. - Usecase: Demonstrates how non-administrative attackers can indirectly cause execution under BackgroundTaskHost.exe at user logon. - Category: Persistence - Privileges: User - MitreID: T1053 - OperatingSystem: Windows 10 All -Full_Path: - - Path: C:\Windows\System32\BackgroundTaskHost.exe - - Path: C:\Windows\SysWOW64\BackgroundTaskHost.exe -Code_Sample: - - Code: https://learn.microsoft.com/windows/uwp/launch-resume/support-your-app-with-background-tasks -Detection: - - IOC: BackgroundTaskHost.exe spawning unexpected child processes - - IOC: BackgroundTaskHost.exe executing shortly after user-level task creation - - Analysis: https://strontic.github.io/xcyclopedia/library/backgroundTaskHost.exe-8B50BFD5811304543479B20D0A281C56.html -Resources: - - Link: https://learn.microsoft.com/windows/uwp/launch-resume/background-tasks - - Link: https://attack.mitre.org/techniques/T1218/ - - Link: https://strontic.github.io/xcyclopedia/library/backgroundTaskHost.exe-8B50BFD5811304543479B20D0A281C56.html -Acknowledgement: - - Person: Prakash Munimsingh Thakur - Handle: 'https://github.com/4renSick'' -