🐲
OSCP Notes
  • 🐲OSCP Notes
  • 🐲OSCP Methodology
  • 💡Misc
    • Metasploit
    • Antivirus Evasion
    • Password attacks
    • Reverse Shells
    • Port Forwarding, Tunneling and Pivoting
      • Local Port Forwarding
      • Remote Port Forwarding
      • Dynamic Port Forwarding
      • Lingolo-ng
    • Information Gathering
      • Passive Reconnaissance
        • Whois
        • Google Dorks
        • NetCraft
        • Git Repository
      • Active Reconnaissance
        • DNS Enumeration
        • Host Discovery
        • Port scanning
        • SMTP - 25
        • SNMP
  • Linux
    • Local Enumeration
    • Local Privileges Escalation
      • Scheduled tasks
      • Password Authentication
      • Monitor Processes
      • SetUID Binaries and Capabilities
      • Sudoers
      • Kernel Exploits
  • Windows
    • 🧠Mindmap
    • 🥝Mimikatz Basics
    • Enumeration
      • External Enumeration
      • Local Enumeration
      • Active Directory
        • PowerView
    • NTLM Hashes
    • Local Privilege Escalation
      • Service Binary Hijacking
      • Service DLL Hijacking
      • Unquoted Service Paths
      • Scheduled Tasks
      • Token impersonation
      • Backup Operators Group
    • Lateral Movement
      • WMI and WinRM
      • PsExec
      • Pass The Hash
      • Overpass The Hash
      • Pass The Ticket
      • DCOM
    • Persistence
      • Golden Ticket
      • Shadow Copy
    • Authentication Attacks
      • AS-REP Roasting
      • Kerberoasting
      • Password Spray
      • Silver Ticket
      • DC Sync
    • Client Side
    • NTLM Authentication
    • Kerberos Authentication
    • Cached Credentials
  • Web attacks
    • WordPress
    • SQL Injection (SQLi)
    • Command Injection
    • Directory Traversal
    • Local File Inclusion (LFI)
    • File Upload
Powered by GitBook
On this page
  • Enumeration
  • Exploit
  • References
  1. Windows
  2. Local Privilege Escalation

Scheduled Tasks

Windows Task Scheduler can execute automated tasks. This tasks can execute binary files and also scripts. Also, The scheduled tasks is running behalf on user that created the task.

Enumeration

The following command list the tasks information in list format:

schtasks /query /fo LIST /v

The results includes:

  • The Author

  • Next time to run

  • The target path of the task (program or script)

Searching non-regular tasks inside a list of full built-in tasks can be frustrating, using Get-ScheduledTasks can be helpful to filter known tasks to find non-regular tasks.

Get-ScheduledTask | ? { $_.Author -notlike "*Microsoft*" -and $_.TaskPath -notlike "*Microsoft\Windows*" }  | Get-ScheduledTaskInfo

Retrieve more information about the non-regular task

schtasks /query /v /fo list /tn "<TaskPath><TaskName>"

Exploit

To exploit this it possible to replace the tasks target file, soon as the task will run again the target file will execute.

First, use icacls to check the permission of the target file. Then replace it with a malicious one and wait for the next time to run.

References

PreviousUnquoted Service PathsNextToken impersonation

Last updated 7 months ago

schtasks querydocsmsft
schtasks query
Logo
Get-ScheduledTask (ScheduledTasks)MicrosoftLearn
Get-ScheduledTask
Logo