Scheduled Task: Binary Exploitation no detection

[cokeben]

OS: Windows 11 22621.1105

Steps to reproduce:

1. Create a scheduled task pointing to an executable in the directory, that the current user has write/modify access to. For example in $env:USERPROFILE\Desktop\vuln.exe
2. In Security options: Use BUILTIN\Administrators group to execute vuln.exe and also tick the checkmark "Run with highest privileges"
3. Set a trigger of your choice, doesn't really matter
4. Allow task to be run on demand (enabled by default)
5. Perform extended scan with PrivescCheck.ps1

Expected result:

PrivescCheck detects the vulnerable task, since the current user has permission to write to his Desktop folder, as well as replacing vuln.exe for any file of his choice

Actual result:

PrivescCheck gives OK status in the Scheduled Task: Binary Exploitation section and doesn't list the task.

---

SIDENOTE:

The group for executing the task doesn't have to be strictly BUILTIN\Administrators, it can be any high privileged User.

It can be even the current user but with "Run with highest privileges" checkmark.

I also tried exporting the task to XML file, changing the actual author within the file and importing it back, to simulate creation of task by a different user. Sadly, same result.

[itm4n]

This check has a major limitation. As I mentioned in its description: Note that, as a low-privileged user, it's not possible to enumerate all the scheduled tasks.

Please do the following test:

1. Open the MMC > Scheduled Tasks snap-in as the user you are running PrivescCheck with.
2. Try to find your scheduled task.

Case 1: It does not appear (most common case). Then PrivescCheck cannot see it either. Case 2: You can see it there. Then, there is indeed a problem with the detection and I'll have to investigate further.

[cokeben]

I just tested it. It's a Case 1. Thanks for clarifying.

The task has to be apparently associated with the User directly, or Users group in order to be visible.