Scheduled Tasks

Theory

In Windows, the Task Scheduler service allows to run automated tasks on a chosen computer. The tasks are used to run programms when a specific trigger occurs. Triggers work like conditions, triggering the execution of one or more actions when they are met. For example, a trigger can be temporal, linked to a particular date, launched when the system starts up, when the user logs on or in response to a Windows event.

If its misconfigured, it can be an interesting vector for privilege escalation. At the enumeration stage we are interested into following Scheduled Tasks parameters:

The "Run As User" (i.e under which user the task will run)
The Trigger (i.e when the task will be run)
The task to be run (i.e what will be executed by this task)

Practice

To enumerate scheduled tasks, we may use following PowerShell commands.

Get-ScheduledTask

The command schtasks can be used to enumerate scheduled tasks from a cmd.

schtasks /query /fo LIST /v

Last updated 7 months ago