8. Scheduled Tasks

• Windows uses the Task Scheduler to execute various automated tasks.
• They are executed on triggers, which are conditions set to a specific time or event.
• An action specifies which program or script to execute.
• Three vital pieces of information about tasks:
  • As which user account (principal) does this task get executed?
  • What triggers are specified for the task?
  • What actions are executed when one or more of these triggers are met?

Scheduled Task Privesc

1. Enumerate scheduled tasks:

schtasks /query /fo LIST /v

2. Check permissions of the directory of the wanted binary to replace with 'icacls'.
3. Win!

Enumeration Queries:

Windows Tasks Exclude Directory Search Query:

schtasks /query /fo LIST /v | findstr /v /c:"system32" /c:"root"

Get-ScheduledTask | findstr /v /i /c:"\Microsoft\Windows"

• Can add multiple "/c:" for multiple parameters
• Remove /v to filter for instead of excluding
• /i makes it case-sensitive

One-liner to show binary paths only and exclude system32 and com handler (should work well):

schtasks /query /fo LIST /v | findstr /B /C:"Task To Run" | findstr /v /c:"root" /c:"System32" /c:"system32" /c:"COM"