Scheduled Tasks (ATSVC)

Theory

Windows scheduled tasks can also be leveraged to run arbitrary commands since they execute a command when started. When using schtasks, it will try to connect to the Microsoft AT-Scheduler Service (ATSVC) remote service program through RPC in several ways:

By using MS-TSCH protocols over RPC to connect EMP at port 135. WIll ask for the ATSVC RPC Endpoint wich is a dynamic port
Try to reach ATSVC Through SMB named pipes (\PIPE\atsvc) on port 445 (SMB) or 139 (SMB over NetBIOS)

Practice

The Impacket script atexec.py can be used to interact with Scheduled Tasks.

#Remotely exec a scheduled command 
atexec.py <domain>/<username>:<password>@<target> "whoami"

On windows, we can use the built in schtasks.exe binary to remotely interact with services

#Remotely schedule a Task
schtasks /s TARGET /RU "SYSTEM" /create /tn "MyTask" /tr "<command/payload to execute>" /sc ONCE /sd 01/01/1970 /st 00:00 

#Remotely Run It 
schtasks /s TARGET /run /TN "MyTask" 

#Remotely Delete a Task
schtasks /S TARGET /TN "MyTask" /DELETE /F

Resources

Last updated 1 year ago

Was this helpful?