# 14 - Scheduled Task #### Topics > 1. Introduction to the Windows Shells > 2. Windows Permissions > 3. Reverse Shells in Windows > 4. SeImpersonatePrivilege Exploitation > 5. On Cross Compilation > 6. Windows Services > 7. Weak Service Permissions > 8. Unquoted Service Path > 9. DLL Hijacking > 10. Always Install Elevated > 11. Files with Sensitive Data > 12. Windows Hashes > 13. Stored Credentials and the Windows Vault > 14. Scheduled Task > 15. Critical Registry Paths > 16. Useful Tools > 17. AMSI Bypass #### **What Are Scheduled Tasks?** Scheduled Tasks are automated jobs in Windows that execute scripts or programs based on a predefined schedule or event. Managed via the **Task Scheduler**, they are widely used for tasks such as: * **Backups** * **System maintenance** * **Custom script execution** While Scheduled Tasks offer great flexibility for automation, they can also be exploited as an **attack surface** if misconfigured. *** #### **1.1 Scheduled Tasks Data** Scheduled Tasks contain the following key attributes: **1.1.1 General Information** * **Name**: Unique identifier. * **Path**: Folder location in Task Scheduler Library. * **Description**: Purpose of the task. * **Enabled/Disabled**: Whether the task is active. * **Author**: Creator of the task. > **Note**: Tasks with the same name can exist in different folders, but names must be unique within the same folder. *** **1.1.2 Triggers** Defines when a task will run. Types include: * **Time-based Triggers**: Daily, weekly, or specific times. * **Event-based Triggers**: Logon, system startup, or event log entry. * **Custom Triggers**: Idle time, network connections, or workstation locking/unlocking. *** **1.1.3 Actions** Specifies what the task will execute: * **Executable Path/Command**: The binary or script to run. * **Arguments**: Parameters for the executable. * **Working Directory**: The execution directory. *** **1.1.4 Conditions** Conditions under which the task will execute: * **Idle Time**: Runs only if the system is idle. * **Power Conditions**: Prevents execution on battery power. * **Network Conditions**: Runs only on a specific network. *** **1.1.5 Settings** General task execution options: * Allow manual execution. * Retry missed tasks. * Restart on failure. * Set maximum runtime limits. *** **Security Settings** Security-related task properties: * **Run as User**: Specifies the user account for task execution. * **Run with Highest Privileges**: Allows elevated execution. * **Group Access Permissions**: Defines who can modify or run the task. *** ### **Last Run/Execution Information** Tracks execution details: * **Last Run Time**: Timestamp of the last execution. * **Last Run Result**: Exit code or error details. * **Next Run Time**: When the task will run next. *** ## **Enumeration** **List All Scheduled Tasks** ```powershell Get-ScheduledTask ``` ```bash schtasks /query ``` ### **List Tasks in Specific Folder** ```powershell Get-ScheduledTask | Where-Object {$_.TaskPath -eq "\Microsoft\Windows\Shell\"} ``` **Detailed Information** ```powershell Get-ScheduledTask -TaskName "MyTask" | Get-ScheduledTaskInfo schtasks /query /FO LIST /V Get-ScheduledTask -TaskName "XblGameSaveTask" | Format-List * ``` ### **Export Task Configuration as XML** ```powershell Export-ScheduledTask -TaskName "XblGameSaveTask" -TaskPath "\Microsoft\XblGameSave\" ``` *** ## **Creation and Deletion** ### **Create a Task** Run `notepad.exe` at user logon: ```powershell $action = New-ScheduledTaskAction -Execute "notepad.exe" $trigger = New-ScheduledTaskTrigger -AtLogOn Register-ScheduledTask -TaskName "MyTask" -Action $action -Trigger $trigger -User "DOMAIN\User" ``` ### **Delete a Task** ```powershell Unregister-ScheduledTask -TaskName "MyTask" -Confirm:$false ``` *** ## **Exploitation** **Create a Malicious Task** Execute `test1.ps1` as `SYSTEM` every minute for a year: ```powershell $Action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-File C:\Users\Quickemu\tasks\test1.ps1" $Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 1) -RepetitionDuration (New-TimeSpan -Days 365) $Principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount -RunLevel Highest Register-ScheduledTask -TaskName "MaliciousTask" -Action $Action -Trigger $Trigger -Principal $Principal ``` **Remove Malicious Task** ```powershell Unregister-ScheduledTask -TaskName "MaliciousTask" -Confirm:$false ``` *** ## Other Resources * **Microsoft Task Scheduler Documentation**:\ [Task Scheduler Developer Guide](https://learn.microsoft.com/it-it/windows/win32/taskschd/task-scheduler-start-page) {% hint style="danger" %} **Disclaimer** **❗ Never use tools and techniques on real IP addresses, hosts or networks without proper authorization!**❗ {% endhint %}