14 - Scheduled Task

Topics

1. Introduction to the Windows Shells

2. Windows Permissions

3. Reverse Shells in Windows

4. SeImpersonatePrivilege Exploitation

5. On Cross Compilation

6. Windows Services

7. Weak Service Permissions

8. Unquoted Service Path

9. DLL Hijacking

10. Always Install Elevated

11. Files with Sensitive Data

12. Windows Hashes

13. Stored Credentials and the Windows Vault

14. Scheduled Task

15. Critical Registry Paths

16. Useful Tools

17. AMSI Bypass

What Are Scheduled Tasks?

Scheduled Tasks are automated jobs in Windows that execute scripts or programs based on a predefined schedule or event. Managed via the Task Scheduler, they are widely used for tasks such as:

• Backups

• System maintenance

• Custom script execution

While Scheduled Tasks offer great flexibility for automation, they can also be exploited as an attack surface if misconfigured.

---

1.1 Scheduled Tasks Data

Scheduled Tasks contain the following key attributes:

1.1.1 General Information

• Name: Unique identifier.

• Path: Folder location in Task Scheduler Library.

• Description: Purpose of the task.

• Enabled/Disabled: Whether the task is active.

• Author: Creator of the task.

Note: Tasks with the same name can exist in different folders, but names must be unique within the same folder.

---

1.1.2 Triggers

Defines when a task will run. Types include:

• Time-based Triggers: Daily, weekly, or specific times.

• Event-based Triggers: Logon, system startup, or event log entry.

• Custom Triggers: Idle time, network connections, or workstation locking/unlocking.

---

1.1.3 Actions

Specifies what the task will execute:

• Executable Path/Command: The binary or script to run.

• Arguments: Parameters for the executable.

• Working Directory: The execution directory.

---

1.1.4 Conditions

Conditions under which the task will execute:

• Idle Time: Runs only if the system is idle.

• Power Conditions: Prevents execution on battery power.

• Network Conditions: Runs only on a specific network.

---

1.1.5 Settings

General task execution options:

• Allow manual execution.

• Retry missed tasks.

• Restart on failure.

• Set maximum runtime limits.

---

Security Settings

Security-related task properties:

• Run as User: Specifies the user account for task execution.

• Run with Highest Privileges: Allows elevated execution.

• Group Access Permissions: Defines who can modify or run the task.

---

Last Run/Execution Information

Tracks execution details:

• Last Run Time: Timestamp of the last execution.

• Last Run Result: Exit code or error details.

• Next Run Time: When the task will run next.

---

Enumeration

List All Scheduled Tasks

Get-ScheduledTask

schtasks /query

List Tasks in Specific Folder

Get-ScheduledTask | Where-Object {$_.TaskPath -eq "\Microsoft\Windows\Shell\"}

Detailed Information

Get-ScheduledTask -TaskName "MyTask" | Get-ScheduledTaskInfo
schtasks /query /FO LIST /V
Get-ScheduledTask -TaskName "XblGameSaveTask" | Format-List *

Export Task Configuration as XML

Export-ScheduledTask -TaskName "XblGameSaveTask" -TaskPath "\Microsoft\XblGameSave\"

---

Creation and Deletion

Create a Task

Run notepad.exe at user logon:

$action = New-ScheduledTaskAction -Execute "notepad.exe"
$trigger = New-ScheduledTaskTrigger -AtLogOn
Register-ScheduledTask -TaskName "MyTask" -Action $action -Trigger $trigger -User "DOMAIN\User"

Delete a Task

Unregister-ScheduledTask -TaskName "MyTask" -Confirm:$false

---

Exploitation

Create a Malicious Task

Execute test1.ps1 as SYSTEM every minute for a year:

$Action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-File C:\Users\Quickemu\tasks\test1.ps1"
$Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 1) -RepetitionDuration (New-TimeSpan -Days 365)
$Principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount -RunLevel Highest
Register-ScheduledTask -TaskName "MaliciousTask" -Action $Action -Trigger $Trigger -Principal $Principal

Remove Malicious Task

Unregister-ScheduledTask -TaskName "MaliciousTask" -Confirm:$false

---

Other Resources

• Microsoft Task Scheduler Documentation: Task Scheduler Developer Guide

Disclaimer

❗ Never use tools and techniques on real IP addresses, hosts or networks without proper authorization!❗