-
Notifications
You must be signed in to change notification settings - Fork 245
Scheduled Task Backdoor
h4wkst3r edited this page Jul 17, 2019
·
1 revision
This persistence technique backdoors a scheduled task by adding an additional action to it. In this module, you will provide a scheduled task name to backdoor, and a system command to run.
- Non-admin privileges (for non-admin scheduled tasks)
- Admin privileges (for admin scheduled tasks)
- -c - command to execute
- -a - arguments to command to execute (if applicable)
- -n - scheduled task name
- -m - method (add, remove, check, list)
- -o - optional add-on for frequency (logon, daily, hourly) if applicable
- Action is added to the scheduled task with your system command provided. Your additional action will run after the first action has completed.
- When backdooring scheduled task as admin, you need to be in high integrity process (safe check for this)
- The very last action added to the scheduled task is removed, which is yours that you added.
SharPersist -t schtaskbackdoor -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Something Cool" -m add
SharPersist -t schtaskbackdoor -n "Something Cool" -m remove
SharPersist -t schtaskbackdoor -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Something Cool" -m check
SharPersist -t schtaskbackdoor -m list
SharPersist -t schtaskbackdoor -m list -n "Some Task"
SharPersist -t schtaskbackdoor -m list -o logon