Red Teaming Experiments
linkedingithub@spotheplanetpatreon
Search…
What is ired.team?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
DLL Proxying for Persistence
Schtask
Service Execution
Sticky Keys
Create Account
AddMonitor()
NetSh Helper DLL
Abusing Windows Managent Instrumentation
Windows Logon Helper
Hijacking Default File Extension
Persisting in svchost.exe with a Service DLL
Modifying .lnk Shortcuts
Screensaver Hijack
Application Shimming
BITS Jobs
COM Hijacking
SIP & Trust Provider Hijacking
Hijacking Time Providers
Installing Root Certificate
Powershell Profile Persistence
RID Hijacking
Word Library Add-Ins
Office Templates
Exfiltration
reversing, forensics & misc
Internals
Cloud
Neo4j
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered By GitBook
Schtask
Code execution, privilege escalation, lateral movement and persitence.

Execution

Creating a new scheduled task that will launch shell.cmd every minute:
[email protected]
1
schtasks /create /sc minute /mo 1 /tn "eviltask" /tr C:\tools\shell.cmd /ru "SYSTEM"
Copied!

Observations

Note that processes spawned as scheduled tasks have taskeng.exe process as their parent:
Monitoring and inspecting commandline arguments and established network connections by processes can help uncover suspicious activity:
Also, look for events 4698 indicating new scheduled task creation:

Lateral Movement

Note that when using schtasks for lateral movement, the processes spawned do not have taskeng.exe as their parent, rather - svchost:
[email protected]
1
schtasks /create /sc minute /mo 1 /tn "eviltask" /tr calc /ru "SYSTEM" /s dc-mantvydas /u user /p password
Copied!

References

Scheduled Task/Job, Technique T1053 - Enterprise | MITRE ATT&CK®
Schtasks.exe - Win32 apps
docsmsft
Previous
DLL Proxying for Persistence
Next
Service Execution
Last modified 3yr ago
Copy link
Contents
Execution
Observations
Lateral Movement
References