update bofs

KIT/AddTaskScheduler/README.md

@@ -1,14 +1,14 @@
 # AddTaskScheduler
 This tool can be used to create a scheduled task on the current system or a remote host. It supports multiple trigger options. 
 
->As a rule of thumb, setting a scheduled task for any user but yourself, requires elevated privileges. Furthermore, the tool returns error codes if the operation fails. The most common error codes are: 80070005 (not enough privileges), and 80041318/80041319 (most likely you made a typo in one of the input fields). 
+>As a rule of thumb, setting a scheduled task for any user but yourself, requires elevated privileges. Furthermore, the tool returns error codes if the operation fails. The most common error codes are: 80070005 (not enough privileges), 80041318/80041319 (most likely you made a typo in one of the input fields), and 80070002 (scheduled task doesn't exist). 
 
 ## Basic parameters
 * `taskName`: The name of the scheduled task.
 * `hostName`: Specify `""` for the current system or the FQDN of the remote host: `DB01.example.local`. 
 * `programPath`: Path to the program that you want to run like: `C:\Windows\System32\cmd.exe`.
 * `programArguments`: Arguments that you want to pass to the program like: `"/c C:\Windows\System32\calc.exe"` or `""` to leave it empty.
-* `triggerType`: The trigger that signals the execution like: `onetime`, `daily`, `logon`, `startup`, `lock`, `unlock`. For more information, check the "Supported trigger options" below.
+* `triggerType`: The trigger that signals the execution like: `onetime`, `daily`, `logon`, `startup`, `lock`, `unlock`. For more information, check the TRIGGER OPTIONS below.
 
 ## Supported trigger options
 * `onetime`: Create task with trigger "On a schedule: one time".
@@ -26,7 +26,7 @@ This tool can be used to create a scheduled task on the current system or a remo
 * `userID`: Specify the user for which the trigger is set in format: `"DOMAIN\username"` for domain users, `username` for local system users and `""` for all users (requires admin privs if set for another user or all users).
 * `repeatTask`: Set "Repeat task every x minutes/hours" option in format `PT2H` with a duration of `Indefinitely`.
 
-## Usage trigger options
+## Usage
 * `addtaskscheduler <taskName> <(optional) hostName> <programPath> "<(optional) programArguments>" onetime <startTime> <(optional) repeatTask>`
 * `addtaskscheduler <taskName> <(optional) hostName> <programPath> "<(optional) programArguments>" daily <startTime> <(optional) expireTime> <(optional) daysInterval> <(optional) delay>`
 * `addtaskscheduler <taskName> <(optional) hostName> <programPath> "<(optional) programArguments>" logon <(optional) userID>`

KIT/AddTaskScheduler/addtaskscheduler.c

@@ -189,6 +189,26 @@ HRESULT SetUnlockTask(HRESULT hr, ITriggerCollection* pTriggerCollection, wchar_
 }
 
 
+BOOL IsElevated() {
+    BOOL fIsElevated = FALSE;
+    HANDLE hToken = NULL;
+
+    if (ADVAPI32$OpenProcessToken(KERNEL32$GetCurrentProcess(), TOKEN_QUERY, &hToken)) {
+        TOKEN_ELEVATION elevation;
+        DWORD dwSize;
+
+        if (ADVAPI32$GetTokenInformation(hToken, TokenElevation, &elevation, sizeof(elevation), &dwSize)) {
+            fIsElevated = elevation.TokenIsElevated;
+        }
+    }
+
+    if (hToken) {
+        KERNEL32$CloseHandle(hToken);
+    }
+    return fIsElevated;
+}
+
+
 BOOL CreateScheduledTask(char* triggerType, wchar_t* taskName, wchar_t * host, wchar_t* programPath, wchar_t* programArguments, wchar_t* startTime, wchar_t* expireTime, int daysInterval, wchar_t* delay, wchar_t* userID, wchar_t* repeatTask) {
     BOOL actionResult = FALSE;
 	HRESULT hr = S_OK;
@@ -233,12 +253,21 @@ BOOL CreateScheduledTask(char* triggerType, wchar_t* taskName, wchar_t * host, w
 		goto cleanup;
     }
 	
-    IPrincipal* pPrincipal = NULL;
-    hr = pTaskDefinition->lpVtbl->get_Principal(pTaskDefinition, &pPrincipal);
-    if (SUCCEEDED(hr)) {
-        pPrincipal->lpVtbl->put_LogonType(pPrincipal, TASK_LOGON_INTERACTIVE_TOKEN);
-        pPrincipal->lpVtbl->Release(pPrincipal);
-    }
+	IPrincipal* pPrincipal = NULL;
+	hr = pTaskDefinition->lpVtbl->get_Principal(pTaskDefinition, &pPrincipal);
+	if (SUCCEEDED(hr)) {
+		if (IsElevated()) {
+			BeaconPrintf(CALLBACK_OUTPUT, "[*] Running in elevated context and setting \"Run whether user is logged on or not\" security option!\n"); 
+			BSTR systemUser = OLEAUT32$SysAllocString(L"SYSTEM");
+			pPrincipal->lpVtbl->put_UserId(pPrincipal, systemUser);
+			OLEAUT32$SysFreeString(systemUser);
+			
+		}else {
+			pPrincipal->lpVtbl->put_LogonType(pPrincipal, TASK_LOGON_INTERACTIVE_TOKEN);
+		}
+		pPrincipal->lpVtbl->Release(pPrincipal);
+	}
+	
 
     ITriggerCollection* pTriggerCollection = NULL;
     hr = pTaskDefinition->lpVtbl->get_Triggers(pTaskDefinition, &pTriggerCollection);

KIT/AddTaskScheduler/addtaskscheduler.h

@@ -1,5 +1,11 @@
 #include <windows.h>  
 
+//IsElevated
+DECLSPEC_IMPORT BOOL WINAPI ADVAPI32$OpenProcessToken(HANDLE ProcessHandle, DWORD DesiredAccess, PHANDLE TokenHandle);
+DECLSPEC_IMPORT BOOL WINAPI ADVAPI32$GetTokenInformation(HANDLE TokenHandle, TOKEN_INFORMATION_CLASS TokenInformationClass, LPVOID TokenInformation, DWORD TokenInformationLength, PDWORD ReturnLength);
+DECLSPEC_IMPORT BOOL WINAPI KERNEL32$CloseHandle(HANDLE hObject);
+DECLSPEC_IMPORT HANDLE WINAPI KERNEL32$GetCurrentProcess(void);
+
 //CreateScheduledTask
 DECLSPEC_IMPORT HRESULT WINAPI OLE32$CoInitializeEx(LPVOID pvReserved, DWORD dwCoInit);
 DECLSPEC_IMPORT void WINAPI OLE32$CoUninitialize(void);