WPTaskScheduler.dll is a component of Task Scheduler, since win 10 1507.
This is likely a backdoor tool used for persistence, which was analyzed by security researchers,
who found that able to bypass Restricted Token Sandbox, child-process restrictions and elevate to Medium Integrity.
1: Establish RPC connection, but restricted tokens such as Google Chrome renderer process seem unable to establish RPC connection,
so it could to be useless? Well, audio.mojom.AudioService and gpu-process bypass success......
2: It seems that AppContainers unable to escape, but it's hard to that this is not the only attack point.
Fail in (BasepCreateLowBox->NtCreateLowBoxToken) before restarting, and create process success as AppContainers after restarting?
WPTaskScheduler.dll!TsiRefisterRPCInterface adjust the RPC Interface Security, no longer be accessed by Everyone.
Required Medium Integrity at least now (and other Service Account...)
Visual Studio 2022 -> Release x64
Both persistence and a poc to test.
I suggest download WpTasks.exe from https://www.tenforums.com/general-support/157178-hidden-task-revealer.html......
1: Compile as exe, use SystemInformer, TokenUniverse, sandbox-attacksurface-analysis-tools
or other tools to play.
2: Compile as dll, use Reflective DLL Injection or MemoryModule to play around Real scenes,
(Chrome Low Integrity-> gpu-process, audio.mojom.AudioService)
btw what happen if "donut shellcode" in Untrust Sandbox Process...
Windows 11 23H2 (10.0.22631.4317)
Windows Server 2016 (10.0.14393.5786)
1: https://www.tenforums.com/general-support/157178-hidden-task-revealer.html
2: https://www.tenforums.com/general-support/157178-hidden-task-revealer-6.html
3: https://cyber.wtf/2022/06/01/windows-registry-analysis-todays-episode-tasks/
4: https://github.com/gtworek/PSBits/tree/master/WNF
5: https://googleprojectzero.blogspot.com/2015/05/in-console-able.html