# 14 - Scheduled Task

#### Topics <a href="#topics" id="topics"></a>

> 1. Introduction to the Windows Shells
> 2. Windows Permissions
> 3. Reverse Shells in Windows
> 4. SeImpersonatePrivilege Exploitation
> 5. On Cross Compilation
> 6. Windows Services
> 7. Weak Service Permissions
> 8. Unquoted Service Path
> 9. DLL Hijacking
> 10. Always Install Elevated
> 11. Files with Sensitive Data
> 12. Windows Hashes
> 13. Stored Credentials and the Windows Vault
> 14. Scheduled Task
> 15. Critical Registry Paths
> 16. Useful Tools
> 17. AMSI Bypass

#### **What Are Scheduled Tasks?**

Scheduled Tasks are automated jobs in Windows that execute scripts or programs based on a predefined schedule or event. Managed via the **Task Scheduler**, they are widely used for tasks such as:

* **Backups**
* **System maintenance**
* **Custom script execution**

While Scheduled Tasks offer great flexibility for automation, they can also be exploited as an **attack surface** if misconfigured.

***

#### **1.1 Scheduled Tasks Data**

Scheduled Tasks contain the following key attributes:

**1.1.1 General Information**

* **Name**: Unique identifier.
* **Path**: Folder location in Task Scheduler Library.
* **Description**: Purpose of the task.
* **Enabled/Disabled**: Whether the task is active.
* **Author**: Creator of the task.

> **Note**: Tasks with the same name can exist in different folders, but names must be unique within the same folder.

***

**1.1.2 Triggers**

Defines when a task will run. Types include:

* **Time-based Triggers**: Daily, weekly, or specific times.
* **Event-based Triggers**: Logon, system startup, or event log entry.
* **Custom Triggers**: Idle time, network connections, or workstation locking/unlocking.

***

**1.1.3 Actions**

Specifies what the task will execute:

* **Executable Path/Command**: The binary or script to run.
* **Arguments**: Parameters for the executable.
* **Working Directory**: The execution directory.

***

**1.1.4 Conditions**

Conditions under which the task will execute:

* **Idle Time**: Runs only if the system is idle.
* **Power Conditions**: Prevents execution on battery power.
* **Network Conditions**: Runs only on a specific network.

***

**1.1.5 Settings**

General task execution options:

* Allow manual execution.
* Retry missed tasks.
* Restart on failure.
* Set maximum runtime limits.

***

**Security Settings**

Security-related task properties:

* **Run as User**: Specifies the user account for task execution.
* **Run with Highest Privileges**: Allows elevated execution.
* **Group Access Permissions**: Defines who can modify or run the task.

***

### **Last Run/Execution Information**

Tracks execution details:

* **Last Run Time**: Timestamp of the last execution.
* **Last Run Result**: Exit code or error details.
* **Next Run Time**: When the task will run next.

***

## **Enumeration**

**List All Scheduled Tasks**

```powershell
Get-ScheduledTask
```

```bash
schtasks /query
```

### **List Tasks in Specific Folder**

```powershell
Get-ScheduledTask | Where-Object {$_.TaskPath -eq "\Microsoft\Windows\Shell\"}
```

**Detailed Information**

```powershell
Get-ScheduledTask -TaskName "MyTask" | Get-ScheduledTaskInfo
schtasks /query /FO LIST /V
Get-ScheduledTask -TaskName "XblGameSaveTask" | Format-List *
```

### **Export Task Configuration as XML**

```powershell
Export-ScheduledTask -TaskName "XblGameSaveTask" -TaskPath "\Microsoft\XblGameSave\"
```

***

## **Creation and Deletion**

### **Create a Task**

Run `notepad.exe` at user logon:

```powershell
$action = New-ScheduledTaskAction -Execute "notepad.exe"
$trigger = New-ScheduledTaskTrigger -AtLogOn
Register-ScheduledTask -TaskName "MyTask" -Action $action -Trigger $trigger -User "DOMAIN\User"
```

### **Delete a Task**

```powershell
Unregister-ScheduledTask -TaskName "MyTask" -Confirm:$false
```

***

## **Exploitation**

**Create a Malicious Task**

Execute `test1.ps1` as `SYSTEM` every minute for a year:

```powershell
$Action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-File C:\Users\Quickemu\tasks\test1.ps1"
$Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 1) -RepetitionDuration (New-TimeSpan -Days 365)
$Principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount -RunLevel Highest
Register-ScheduledTask -TaskName "MaliciousTask" -Action $Action -Trigger $Trigger -Principal $Principal
```

**Remove Malicious Task**

```powershell
Unregister-ScheduledTask -TaskName "MaliciousTask" -Confirm:$false
```

***

## Other Resources

* **Microsoft Task Scheduler Documentation**:\
  [Task Scheduler Developer Guide](https://learn.microsoft.com/it-it/windows/win32/taskschd/task-scheduler-start-page)

{% hint style="danger" %}
**Disclaimer**

**❗ Never use tools and techniques on real IP addresses, hosts or networks without proper authorization!**❗
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://dev-angelist.gitbook.io/windows-privilege-escalation/14-scheduled-task.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.