Privilege Escalation with Task Scheduler

When it comes to privilege escalation during penetration testing, many testers immediately look for SeImpersonatePrivilege as the golden ticket to SYSTEM-level access. But what happens when SeImpersonate isn’t available? Should you abandon all hope? Absolutely not!

One powerful yet often overlooked method is using Task Scheduler to escalate privileges. This approach relies on having specific privileges or access to manage scheduled tasks, and when used correctly, it can be just as effective.

Let’s break down how you can turn Task Scheduler into your secret weapon for privilege escalation.

Assess Your Privileges

The first step in any privilege escalation attempt is to check what you’re working with. Use the following command to identify your current privileges:

whoami /priv

Look for these critical privileges:

1. SeBatchLogonRight
   This privilege is required to create scheduled tasks.
2. SeCreateGlobalPrivilege
   While not mandatory, it can enhance your ability to execute tasks with elevated permissions.

If these privileges are present, you’re off to a great start. If not, don’t despair — this method can still work if you have sufficient access to manage Task Scheduler.

Verify Your Task Scheduler Access

Next, determine if you have the ability to manage scheduled tasks on the system. Run the following command:

schtasks /query

If the output lists existing tasks without throwing an “Access Denied” error, it means you have the necessary access to create, modify, and execute tasks. This is a critical checkpoint — without Task Scheduler access, this method won’t be viable.

Leveraging Task Scheduler for Privilege Escalation

Now that you’ve confirmed your privileges and access, it’s time to use Task Scheduler to escalate. The idea here is to create a task that executes a command as SYSTEM, granting you elevated access.

Create a Scheduled Task:

schtasks /create /tn "BackdoorTask"…