Scheduled Tasks

Binary Overwrite

Detection

$schedule = New-Object -com("Schedule.Service")
$schedule.connect()
$tasks= $schedule.getfolder("\").gettasks(0)
$tasks | fl

taschd.msc
schtasks.exe /query
schtasks.exe /query /TN <task_name> /v
schtasks.exe /query /TN <task_name> /xml
autoruns.exe
PowerUp.ps1: Get-ModifiableScheduledTaskFile

Exploitation

1) Compile an executable file with the right name
2) Place it in the identified location

Binary Overwrite​

Binary Overwrite