Coder Social home page Coder Social logo

tasker's Introduction

Tasker - Scheduled tasks without schtasks.exe

This simple C# program is designed to allow the creation of scheduled tasks via the Task Scheduler Service COM interface using Microsoft.Win32.TaskScheduler library. The required DLL is embedded into the compiled executable using the Costura.Fody library. It will use the current process token so you do not need credentials or high-privileges.

Rational

This tool is meant to be used for persistence during red team engagements. Most modern EDR will detect usage of schtasks.exe or at.exe but will not flag on task creation via API. Two tasks are created, the persistence task "Adobe Framework Update" and a cleanup task "Adobe Framework Cleanup". The persistence task will expire when the value of the has elapsed, at which time the Cleanup task will begin. The cleanup will repeatedly attempt to delete the executable target that was specified in the arguments. The scheduled tasks that are created will run under the current user context, meaning this can be done from a low privilege position. The persistence task will execute once and then fail gracefully until the persistent process is killed, at which time it will execute again (assuming your beacon process runs from the source executable). This way, you can put aggressive time intervals like 1 minute without overwhelming your C2 with callbacks. The task will survive reboots. The tool itself will probably flag as malicious if dropped to disk, and is meant to be used directly from memory via execute-assembly type commands.

Usage

The tool expects 3 arguments as follows

tasker.exe <ExecutablePath> <WorkingDirectory> <IntervalMinutes> <MinutesToCleanup>

This is intended to be done from memory, as there is no obfuscation or EDR evasion applied to tasker itself.

Usage example within cobaltStrike below, assumes that tasker is in your C:\temp. This will create the persistence task detonating C:\VictimPC\payload\location\payload.exe every 5 minutes for 60 minutes. The cleanup task will delete the payload after 60 minutes has elapsed, retrying every 5 minutes indefinetly :

execute-assembly C:\temp\tasker.exe payload.exe C:\VictimPC\payload\location\ 5 60

tasker's People

Contributors

pn-tester avatar

Stargazers

avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.