Closed cokeben closed 1 year ago
This check has a major limitation. As I mentioned in its description: Note that, as a low-privileged user, it's not possible to enumerate all the scheduled tasks.
Please do the following test:
Case 1: It does not appear (most common case). Then PrivescCheck cannot see it either. Case 2: You can see it there. Then, there is indeed a problem with the detection and I'll have to investigate further.
I just tested it. It's a Case 1. Thanks for clarifying.
The task has to be apparently associated with the User directly, or Users group in order to be visible.
OS: Windows 11 22621.1105
Steps to reproduce:
$env:USERPROFILE\Desktop\vuln.exe
BUILTIN\Administrators
group to executevuln.exe
and also tick the checkmark "Run with highest privileges"Expected result:
PrivescCheck detects the vulnerable task, since the current user has permission to write to his Desktop folder, as well as replacing
vuln.exe
for any file of his choiceActual result:
PrivescCheck gives OK status in the Scheduled Task: Binary Exploitation section and doesn't list the task.
SIDENOTE:
The group for executing the task doesn't have to be strictly
BUILTIN\Administrators
, it can be any high privileged User.It can be even the current user but with "Run with highest privileges" checkmark.
I also tried exporting the task to XML file, changing the actual author within the file and importing it back, to simulate creation of task by a different user. Sadly, same result.