I’m back from Vegas and trying to work off all those late nights and delicious beers. Before I get down to business, I want to talk about the training I attended at Black Hat. My colleague and I had the opportunity to attend SpecterOps’ Red Team Ops training and it was absolutely fantastic. I doubt any the SpecterOps crew will read my humble blog, but if for some reason you find yourself here – thank you, it was terrific.
Windows services get a lot of attention. There is a reason why PSExec is a mainstay when laterally moving – it works, it’s stable, and it brings you in on a privileged session; however, it’s noisy. So I put together a reflective DLL which accomplishes the same thing but using scheduled tasks instead, while not calling schtasks.exe. It’s a similar level of noisy, but in my opinion it’s less likely to attract attention and it’s an alternative option.
I think there are quite a few potential applications for this code. Lateral movement is one. Including persistence in your custom foothold payload without calling schtasks.exe might be another. Using it to start a SYSTEM session could also be a use case.
The code includes a reflective DLL and an Aggressor script. The Aggressor script takes care of uploading the binary and calling the DLL. The DLL creates, executes, and deletes the scheduled task. Everything is pretty commented so if you’re adverse to writing a binary you could execute a one-liner instead. **NOTE** The Aggressor script or DLL will not clean up the binary, that is on you.
You can find the code at https://github.com/ThunderGunExpress/Reflective_Schtasks
Once again, this is skeleton code and has the following limitations:
- Use an IP address for remote targets and 127.0.0.1 for local targets
- If running against a local target you’ll need to be in a high integrity context