Utilities such as [at](https://attack.mitre.org/software/S0110) and [schtasks](https://attack.mitre.org/software/S0111), along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on. Scheduling a task on a remote system typically required being a member of the Administrators group on the remote system. (Citation: TechNet Task Scheduler Security)An adversary may use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote Execution as part of Lateral Movement, to gain SYSTEM privileges, or to run a process under the context of a specified account.
Executes cmd.exe Note: deprecated in Windows 8+
Supported Platforms: Windows
at 13:20 /interactive cmd
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| task_command | What you want to execute | String | C:\windows\system32\cmd.exe |
| time | What time 24 Hour | String | 72600 |
SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
SCHTASKS /Delete /TN spawn /F
Create a task on a remote system
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| task_command | What you want to execute | String | C:\windows\system32\cmd.exe |
| time | What time 24 Hour | String | 72600 |
| target | Target | String | localhost |
| user_name | Username DOMAIN\User | String | DOMAIN\user |
| password | Password | String | At0micStrong |
SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
SCHTASKS /Delete /TN "Atomic task" /F
Create an atomic scheduled task that leverages native powershell cmdlets. These could be considered "fileless" scheduled task creation.
Supported Platforms: Windows
$Action = New-ScheduledTaskAction -Execute "calc.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTask -InputObject $object
Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false >$null 2>&1