Run Specter PowerShell Cradle as SYSTEM with Schtasks Commandline

Description

This script generates a new obfuscated PowerShell cradle and runs it with a scheduled task as NT AUTHORITY\SYSTEM.

Overview

This script generates a new obfuscated PowerShell cradle containing both an AMSI bypass and a PowerShell logging bypass. It then runs schtasks.exe to create and run a scheduled task as NT AUTHORITY\SYSTEM. The task is then deleted. The TaskName can be configured, but the default is “CacheTask”.

The schtasks.exe only allows a limited number of characters for the PowerShell command, so the PowerShell cradle is stored as an environment variable in order to reduce the commandline length down to a reasonable length.

Arguments

  • TaskName: The name of the scheduled task.
  • EnvironmentVariableName: The name of the environment variable tat will store the payload.
  • Build: The Specter build identifier.

Dependencies

  • None

Operating Systems

  • Windows

Pre-Requisites

  • High Integrity process

Example Output

SUCCESS: The scheduled task "CacheTask" has successfully been created.
SUCCESS: Attempted to run the scheduled task "CacheTask".
SUCCESS: The scheduled task "CacheTask" was successfully deleted.
Scroll to Top