Scheduled task is one of the most popular attack technique in the past decade and now it is still commonly used by hackers/red teamers for persistence and lateral movement.
A number of C# tools were already developed to simulate the attack using scheduled task. I have been playing around with some of them but each of them has its own limitations on customizing the scheduled task. Therefore, this project aims to provide a C# tool to include the features that I want and provide enough flexibility on customizing the scheduled task.
Screenshot:
Methods (/method):
Method | Function |
---|---|
create | create a new scheduled task |
delete | delete an existing scheduled task |
run | execute an existing scheduled task |
query | query details for a scheduled task or all scheduled tasks under a folder |
queryfolders | query all sub-folders in scheduled task |
move | perform lateral movement using scheduled task (automatically create, run and delete) |
Options for scheduled task creation (/method:create):
Method | Function |
---|---|
[*] /taskname | Specify the name of the scheduled task |
[*] /program | Specify the program that the task runs |
[*] /trigger | Specify the schedule type. The valid values include: "minute", "hourly", "daily", "onstart", "onlogon", "onidle" |
/modifier | Specify how often the task runs within its schedule type. Applicable only for schedule type such as "minute" (e.g., 1-1439 minutes) and "hourly" (e.g., 1-23 hours) |
/starttime | Specify the start time for daily schedule type (e.g., 23:30) |
/argument | Specify the command line argument for the program |
/folder | Specify the folder where the scheduled task stores (default: \) |
/author | Specify the author of the scheduled task |
/description | Specify the description for the scheduled task |
/remoteserver | Specify the hostname or IP address of a remote computer |
/user | Run the task with a specified user account |
[*] are mandatory fields.
Options for scheduled task deletion (/method:delete):
Method | Function |
---|---|
[*] /taskname | Specify the name of the scheduled task |
/folder | Specify the folder where the scheduled task stores (default: \) |
/remoteserver | Specify the hostname or IP address of a remote computer |
[*] are mandatory fields.
Options for scheduled task execution (/method:run):
Method | Function |
---|---|
[*] /taskname | Specify the name of the scheduled task |
/folder | Specify the folder where the scheduled task stores (default: \) |
/remoteserver | Specify the hostname or IP address of a remote computer |
[*] are mandatory fields.
Options for scheduled task query (/method:query):
Method | Function |
---|---|
/taskname | Specify the name of the scheduled task |
/folder | Specify the folder where the scheduled task stores (default: \) |
/remoteserver | Specify the hostname or IP address of a remote computer |
[*] are mandatory fields.
Options for scheduled task lateral movement (/method:move):
Method | Function |
---|---|
[*] /taskname | Specify the name of the scheduled task |
[*] /program | Specify the program that the task runs |
[*] /remoteserver | Specify the hostname or IP address of a remote computer |
/trigger | Specify the schedule type. The valid values include: "minute", "hourly", "daily", "onstart", "onlogon", "onidle" |
/modifier | Specify how often the task runs within its schedule type. Applicable only for schedule type such as "minute" (e.g., 1-1439 minutes) and "hourly" (e.g., 1-23 hours) |
/starttime | Specify the start time for daily schedule type (e.g., 23:30) |
/argument | Specify the command line argument for the program |
/folder | Specify the folder where the scheduled task stores (default: \) |
/author | Specify the author of the scheduled task |
/description | Specify the description for the scheduled task |
/user | Run the task with a specified user account |
[*] are mandatory fields.
Examples
Create a scheduled task called "Cleanup" that will be executed every day at 11:30 p.m.
ScheduleRunner.exe /method:create /taskname:Cleanup /trigger:daily /starttime:23:30 /program:calc.exe /description:"Some wordings" /author:netero1010
Create a scheduled task called "Cleanup" that will be executed every 4 hours on a remote server
ScheduleRunner.exe /method:create /taskname:Cleanup /trigger:hourly /modifier:4 /program:rundll32.exe /argument:c:\temp\payload.dll /remoteserver:TARGET-PC01
Delete a scheduled task called "Cleanup"
ScheduleRunner.exe /method:delete /taskname:Cleanup
Execute a scheduled task called "Cleanup"
ScheduleRunner.exe /method:run /taskname:Cleanup
Query details for a scheduled task called "Cleanup" under "\Microsoft\Windows\CertificateServicesClient" folder on a remote server
ScheduleRunner.exe /method:query /taskname:Cleanup /folder:\Microsoft\Windows\CertificateServicesClient /remoteserver:TARGET-PC01
Query all scheduled tasks under a specific folder "\Microsoft\Windows\CertificateServicesClient" on a remote server
ScheduleRunner.exe /method:query /folder:\Microsoft\Windows\CertificateServicesClient /remoteserver:TARGET-PC01
Query all sub-folders in scheduled task
ScheduleRunner.exe /method:queryfolders
Perform lateral movement using scheduled task to a remote server using a specific user account
ScheduleRunner.exe /method:move /taskname:Demo /remoteserver:TARGET-PC01 /program:rundll32.exe /argument:c:\temp\payload.dll /user:netero1010
Library and Reference Used:
Library | Link |
---|---|
TaskScheduler | https://github.com/dahall/TaskScheduler |
Reference | Link |
---|---|
SharpPersist | https://github.com/mandiant/SharPersist |