A scheduled task or scheduled job is any instance of execution, like the initiation of a process or running of a script, that the system performs on a set schedule. Scheduled tasks are a fundamental component of work automation, as they empower a system to perform the specified task without requiring a user to start that task. Once the task executes, it can prompt for user interaction or run silently in the background; it all depends on what the task is set up to do. While most scheduled tasks are configured to run at certain times, you can also schedule tasks around certain events, like a specific user logging in.
Just as scheduled tasks can make a normal user's or administrator's job easier, they can also be a boon to your pen test campaign. For example, you could manually execute a Netcat data exfiltration command over and over again to always have the most up-to-date version of a sensitive file, but this can become tedious, not to mention noisy. Instead, you could create a scheduled task that silently runs the exfiltration command in the background every so often—once a day, for example—to automate your persistence in the organization while remaining undetected.
Task Scheduler is the utility that governs scheduled tasks in Windows environments. You can do quite a bit with this utility, including:
- Setting a task name and description.
- Setting the task's "triggers"—i.e., the time or events that will cause the task to start.
- Setting the task's actual action—e.g., running a program, executing a command, etc.
- Setting what account to run the task under.
- Setting special conditions that might influence when the task will run, like only running a task if a laptop is connected to AC power.
- Configuring additional settings about the task, like what to do if the task fails.
Note that the time trigger supports granular values. You can, for instance, run the task once a year starting on a specific day, or repeat the task every minute for 60 minutes. You can also identify details about a task, like its next run time, its most recent run time, the result or exit status of its most recent run, etc. This is made easier through the Task Scheduler GUI. However, as a pen tester, you will likely need to rely on scheduling a task from the command line (schtasks). The following example schedules a task named "backdr" that runs a batch file once a day for 30 days under the SYSTEM account:
schtasks /create /tn backdr /tr C:\Files\backdoor.bat /sc DAILY /mo 30 /ru SYSTEM
Note: For a full list of options for schtasks, see https://msdn.microsoft.com/en-us/library/windows/desktop/bb736357(v=vs.85).aspx.
Note: Scheduled tasks can also leverage application functionality exposed by DCOM, like scheduling the execution of macros in an Excel file.
On Linux, cron jobs are the primary method of scheduling tasks/jobs. The cron daemon runs the specified shell command at the date and/or time specified in the user's crontab file. You can edit this file by entering crontab -e at a shell. Each line in this file represents a job, and is formatted as follows:
Note that you aren't required to specify every time value. The asterisk (*) denotes a wildcard value; i.e., the job will run for every instance of this value. For example, the following line will run a Netcat file exfiltration listener every day at 9:00 A.M.:
0 9 * * * nc -lp 12345 > data.txt
The following example will run the same Netcat command at the top of every hour every 15th day of every other month:
0 * 15 */2 * nc -lp 12345 > data.txt
Note that the month value uses a division operator (/) with a wildcard to divide each of the 12 months into 2.
Be aware that the jobs you create with crontab -e will run as the current user. You can also directly edit the system's /etc/crontab file to run a job as a specific user, though this is usually not recommended. This file takes a user field before the command field, such as:
0 9 * * * jsmith nc -lp 12345 > data.txt