通过powershell和wmi创建计划任务
我在powershell里的命令:
PS D:\> $action = New-ScheduledTaskAction -Execute 'notepad.exe' PS D:\> $trigger = New-ScheduledTaskTrigger -Daily -At 11am PS D:\> Register-ScheduledTask -Action $action -Trigger $trigger -TaskPath "MyTasks" -TaskName "testTask" -Description "This task opens the Notepad editor"
会在计划任务程序里添加成功:
原文见:
https://www.windowscentral.com/how-create-scheduled-tasks-powershell-windows-10
通过wmi创建计划任务的例子:
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
JobID = "Test"
Set objNewJob = objWMIService.Get("Win32_ScheduledJob")
errJobCreated = objNewJob.Create("malware.exe", "********143000.000000-420", False, 1, , True, JobID)
If errJobCreate = 0 Then
WScript.Echo "Job created successfully: " & VBNewLine _
& "Notepad.exe scheduled to run repeately at 14.30 (2:30 P.M.) PST" & VBNewLine _
& "on Mon, Wed, and Fri."
Else
WScript.Echo "Job not created. Error code = " & errJobCreate
End If
上述文件存为x.vbs,cmd里运行:Wscript.exe x.vbs 提示创建计划任务成功。
见参考文章:
https://evasions.checkpoint.com/techniques/wmi.html
2.2. Start process using Task Scheduler via WMI (Windows 7)
The technique is essentially the same as described in the “Deferred execution using Task Scheduler” section in the “Timing” chapter. WMI just provides another way to schedule a task.
You can create a new task with WMI using the “Win32_ScheduledJob” class with the method “Create”.
However, the “Win32_ScheduledJob” WMI class was designed to work with the AT command, which is deprecated since Windows 8.
In Windows 8 and higher, you can only create scheduled jobs with WMI if the registry key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration” has a value “EnableAt”=”1” of type REG_DWORD. Therefore, this technique is unlikely to be found in the wild.
Code sample (VB)
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=Impersonate}!\\" & strComputer & "\root\cimv2")
Set objSWbemDateTime = CreateObject("WbemScripting.SWbemDateTime")
objSWbemDateTime.SetVarDate(DateAdd("n", 1, Now()))
Set objNewJob = objWMIService.Get("Win32_ScheduledJob")
errJobCreate = objNewJob.Create("malware.exe", objSWbemDateTime.Value, False, , , True, "MaliciousJob") Signature recommendations
If one of the following functions is called with the 2nd argument “Win32_ScheduledJob” and the 3rd argument “Create”:
- IWbemServices_ExecMethod(..., BSTR("Win32_ScheduledJob"), BSTR("Create"), ...)
- IWbemServices_ExecMethodAsync(..., BSTR("Win32_ScheduledJob"), BSTR("Create"), ...)
then it’s an indicator of the application trying to use the evasion technique.
Countermeasures
Use a kernel-mode monitor, and register callback on the process creation with PsSetCreateProcessNotifyRoutineEx.
How to create a scheduled task using PowerShell
To create a scheduled task with PowerShell on Windows 10, use these steps:
- Open Start.
- Search for PowerShell, right-click the top result, and select the Run as administrator option.
-
Type the following command to create a variable to store the action of the task and press Enter:
$action = New-ScheduledTaskAction -Execute 'PROGRAM'In the command, make sure to replace 'PROGRAM' with the name of the program you want to start. The "$action" is a variable, and it does not matter the name as long as you keep it short, simple, and descriptive.
For example, this command tells Task Scheduler to start the Notepad app:
$action = New-ScheduledTaskAction -Execute 'notepad.exe'
Source: Windows CentralQuick tip: If you are trying to schedule a Command Prompt or PowerShell script, you will use the name of the program for the "-Execute" option and "-Argument" option to specify the path of the script. For example,
$action = New-ScheduledTaskAction -Execute 'cmd.exe' -Argument C:\scripts\myscript.bat -
Type the following command to create a variable that stores the schedule information for the task and press Enter:
$trigger = New-ScheduledTaskTrigger -SETTING -At TIMEIn the command, make sure to replace SETTING and TIME with the details on when you want to run the task. The $trigger is a variable, and it does not matter the name.
For example, this example tells Task Scheduler to run the task daily at 11 am:
$trigger = New-ScheduledTaskTrigger -Daily -At 11amQuick note: For "SETTING," you can use -Once, -Daily, -Weekly, or -Monthly. And for the time, you can use the 12 or 24-hour format. If you are using the "Weekly" option, then you also provide the "-DaysInterval" or "-DaysOfWeek" information followed by the corresponding information. For example, with "-DaysOfWeek," you can use Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, or Saturday (example:
-DaysOfWeek Mondayto run the task every Monday), and "-DaysInterval," you will provide the interval as number (example:-DaysInterval 2to run the task every two days). -
Type the following command to create the scheduled task using the variables you specified on the previous steps and press Enter:
Register-ScheduledTask -Action $action -Trigger $trigger -TaskPath "TASK-FOLDER" -TaskName "TASK-NAME" -Description "OPTIONAL-DESCRIPTION-TEXT"In the command, make sure to update "TASK-NAME" with the task's actual name and "OPTIONAL-DESCRIPTION-TEXT" with the description of the task. The folder "-TaskPath" option is not a requirement, but it will help keep tasks separate. If you do not specify the option with a path, the task will be created inside the Task Scheduler Library folder.
For example, this command creates as a scheduled task with the "testTask" name, custom description, and with settings specified on steps No. 3 and 4:
Register-ScheduledTask -Action $action -Trigger $trigger -TaskPath "MyTasks" -TaskName "testTask" -Description "This task opens the Notepad editor"
Source: Windows Central
Once you complete the steps, the task will be created and scheduled according to your configuration.
How to change scheduled task using PowerShell
To modify an already scheduled task with PowerShell commands, use these steps:
- Open Start.
- Search for PowerShell, right-click the top result, and select the Run as administrator option.
-
Type the following command to create a variable to store the schedule changes and press Enter:
$trigger = New-ScheduledTaskTrigger -SETTING -At TIMEIn the command, make sure to replace SETTING and TIME with the new the updated information on when to run the task.
For example, this command updates the task with a new trigger schedule:
$trigger = New-ScheduledTaskTrigger -Weekly -DaysOfWeek Monday -At 2pm -
(Optional) Type the following command to create a variable to store the new action changes and press Enter:
$action = New-ScheduledTaskAction -Execute 'PROGRAMIn the command, make sure to replace 'PROGRAM' with the name of the new program you want to start.
For example, this command tells the Task Scheduler to change the start program to WordPad:
$action = New-ScheduledTaskAction -Execute 'C:\Program Files\Windows NT\Accessories\wordpad.exe'
Source: Windows Central -
Type the following command to change the settings of the scheduled task and press Enter:
Set-ScheduledTask -Trigger $trigger -Action $action -TaskPath "TASK-FOLDER" -TaskName "TASK-NAME"In the command, replace TASK-NAME with the name of the task you want to update. If you are storing the task in a specific folder, make sure to update TASK-FOLDER with the name of the folder storing the task. Otherwise, remove the -TaskPath "TASK-FOLDER" option from the command.
For example, this command updates the testTask task with the new action and trigger settings:
Set-ScheduledTask -Trigger $trigger -Action $action -TaskPath "MyTasks" -TaskName "testTask"
Source: Windows Central
The above example shows the steps to update the "triggers" and "actions" settings, but you can also update only one, three, or more settings. You only need to create the variable and then apply it with the Set-ScheduledTask command. For example, using the above steps as a reference, you could skip step No. 4, and then use this command to only update the schedule: Set-ScheduledTask -Trigger $trigger -TaskName "testTask".
