Task Scheduler
Schtasks Quick Reference
The most common way to schedule tasks is using the built-in Windows task scheduler.
Let's create a task that runs a reverse shell every single hour.
To check if our task was successfully created, we can use the following command:
Making Our Task Invisible
Our task should be up and running by now, but if the compromised user tries to list its scheduled tasks, our backdoor will be noticeable.
To further hide our scheduled task, we can make it invisible to any user in the system by deleting its
Security Descriptor (SD)
. The security descriptor is simply an ACL that states which users have access to the scheduled task.If your user isn't allowed to query a scheduled task, you won't be able to see it anymore, as Windows only shows you the tasks that you have permission to use. -
Deleting the SD is equivalent to disallowing all users' access to the scheduled task, including administrators.
The security descriptors of all scheduled tasks are stored in
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\
. You will find a registry key for every task, under which a value named "SD
" contains the security descriptor.You can only erase the value if you hold
SYSTEM
privileges.To hide our task, let's delete the
SD
value for the "TaskBackdoor
" task we created before. To do so, we will usepsexec
to open Regedit with SYSTEM privileges:
We will then delete the security descriptor for our task:
If we try to query our service again, the system will tell us there is no such task:
atexec Scheduled Task Execution
Last updated