update

KIT/TaskScheduler/README.md

@@ -1,5 +1,5 @@
 # TaskScheduler
-This tool can be used to create or delete a scheduled task. It supports multiple trigger options. 
+This tool can be used to create or delete a scheduled task on the current system or a remote host. It supports multiple trigger options. 
 
 >As a rule of thumb, setting a scheduled task for any user but yourself, requires elevated privileges. Furthermore, the tool returns error codes if the operation fails. The most common error codes are: 80070005 (not enough privileges), 80041318/80041319 (most likely you made a typo in one of the input fields), and 80070002 (scheduled task doesn't exist). 
 
@@ -7,6 +7,7 @@ This tool can be used to create or delete a scheduled task. It supports multiple
 * `create`: Indicate that you want to create a new scheduled task.
 * `delete`: Indicate that you want to delete an existing scheduled task.
 * `taskName`: The name of the scheduled task.
+* `hostName`: Specify `""` for the current system or the FQDN of the remote host: `DB01.example.local`. 
 * `programPath`: Path to the program that you want to run like: `C:\Windows\System32\cmd.exe`.
 * `programArguments`: Arguments that you want to pass to the program like: `"/c C:\Windows\System32\calc.exe"` or `""` to leave it empty.
 * `triggerType`: The trigger that signals the execution like: `onetime`, `daily`, `logon`, `startup`, `lock`, `unlock`. For more information, check the TRIGGER OPTIONS below.
@@ -27,19 +28,19 @@ This tool can be used to create or delete a scheduled task. It supports multiple
 * `userID`: Specify the user for which the trigger is set in format: `"DOMAIN\username"` for domain users, `username` for local system users and `""` for all users (requires admin privs if set for another user or all users).
 
 ## Usage
-* `taskscheduler create <taskName> <programPath> "<(optional) programArguments>" onetime <startTime>`
-* `taskscheduler create <taskName> <programPath> "<(optional) programArguments>" daily <startTime> <(optional) expireTime> <(optional) daysInterval> <(optional) delay>`
-* `taskscheduler create <taskName> <programPath> "<(optional) programArguments>" logon <(optional) userID>`
-* `taskscheduler create <taskName> <programPath> "<(optional) programArguments>" startup <(optional) delay>`
-* `taskscheduler create <taskName> <programPath> "<(optional) programArguments>" lock <(optional) userID> <(optional) delay>`
-* `taskscheduler create <taskName> <programPath> "<(optional) programArguments>" unlock <(optional) userID> <(optional) delay>`
-* `taskscheduler delete <taskName>`
+* `taskscheduler create <taskName> <(optional) hostName> <programPath> "<(optional) programArguments>" onetime <startTime>`
+* `taskscheduler create <taskName> <(optional) hostName> <programPath> "<(optional) programArguments>" daily <startTime> <(optional) expireTime> <(optional) daysInterval> <(optional) delay>`
+* `taskscheduler create <taskName> <(optional) hostName> <programPath> "<(optional) programArguments>" logon <(optional) userID>`
+* `taskscheduler create <taskName> <(optional) hostName> <programPath> "<(optional) programArguments>" startup <(optional) delay>`
+* `taskscheduler create <taskName> <(optional) hostName> <programPath> "<(optional) programArguments>" lock <(optional) userID> <(optional) delay>`
+* `taskscheduler create <taskName> <(optional) hostName> <programPath> "<(optional) programArguments>" unlock <(optional) userID> <(optional) delay>`
+* `taskscheduler delete <taskName> <(optional) hostName>`
 
 ## Examples
-* `taskscheduler create TestTask C:\Windows\System32\cmd.exe "/c C:\Windows\System32\calc.exe" daily 2023-03-24T12:08:00 2023-03-28T12:14:00 1 PT2H`
-* `taskscheduler create NewTask C:\Users\Public\Downloads\legit.exe "" logon Testdomain\Administrator`
-* `taskscheduler create OneDrive C:\Data\OneDrive.exe "" unlock "" PT5M`
-* `taskscheduler delete TestTask`
+* `taskscheduler create TestTask "" C:\Windows\System32\cmd.exe "/c C:\Windows\System32\calc.exe" daily 2023-03-24T12:08:00 2023-03-28T12:14:00 1 PT2H`
+* `taskscheduler create NewTask DB01.example.local C:\Users\Public\Downloads\legit.exe "" logon Testdomain\Administrator`
+* `taskscheduler create OneDrive "" C:\Data\OneDrive.exe "" unlock "" PT5M`
+* `taskscheduler delete TestTask DB01.example.local`
 
 ## Compile
 - 1\. Make sure Visual Studio is installed and supports C/C++.

KIT/TaskScheduler/taskscheduler.c

@@ -173,7 +173,7 @@ HRESULT SetUnlockTask(HRESULT hr, ITriggerCollection* pTriggerCollection, wchar_
 }
 
 
-BOOL CreateScheduledTask(char* triggerType, wchar_t* taskName, wchar_t* programPath, wchar_t* programArguments, wchar_t* startTime, wchar_t* expireTime, int daysInterval, wchar_t* delay, wchar_t* userID) {
+BOOL CreateScheduledTask(char* triggerType, wchar_t* taskName, wchar_t * host, wchar_t* programPath, wchar_t* programArguments, wchar_t* startTime, wchar_t* expireTime, int daysInterval, wchar_t* delay, wchar_t* userID) {
     BOOL actionResult = FALSE;
 	HRESULT hr = S_OK;
 
@@ -190,12 +190,14 @@ BOOL CreateScheduledTask(char* triggerType, wchar_t* taskName, wchar_t* programP
         return actionResult;
     }
 	
-	//Vserver can hold remote host > Requires further testing
-	VARIANT Vserver;
+	VARIANT Vhost;
 	VARIANT VNull;
-	OLEAUT32$VariantInit(&Vserver);
+	OLEAUT32$VariantInit(&Vhost);
 	OLEAUT32$VariantInit(&VNull);
-	hr = pTaskService->lpVtbl->Connect(pTaskService, Vserver, VNull, VNull, VNull); 
+	Vhost.vt = VT_BSTR;
+	Vhost.bstrVal = OLEAUT32$SysAllocString(host);
+	
+	hr = pTaskService->lpVtbl->Connect(pTaskService, Vhost, VNull, VNull, VNull); 
     if (FAILED(hr)) {
         //MSVCRT$printf("ITaskService::Connect failed: %x\n", hr); //DEBUG
         pTaskService->lpVtbl->Release(pTaskService);
@@ -355,7 +357,7 @@ BOOL CreateScheduledTask(char* triggerType, wchar_t* taskName, wchar_t* programP
     pTaskFolder->lpVtbl->Release(pTaskFolder);
 	pTaskService->lpVtbl->Release(pTaskService);
 	
-	OLEAUT32$VariantClear(&Vserver);
+	OLEAUT32$VariantClear(&Vhost);
 	OLEAUT32$VariantClear(&VNull);
 	OLE32$CoUninitialize();
 
@@ -363,7 +365,7 @@ BOOL CreateScheduledTask(char* triggerType, wchar_t* taskName, wchar_t* programP
 }
 
 
-BOOL DeleteScheduledTask(wchar_t* taskName) {
+BOOL DeleteScheduledTask(wchar_t* taskName, wchar_t* host) {
     BOOL actionResult = FALSE;
 	HRESULT hr = S_OK;
 
@@ -380,12 +382,14 @@ BOOL DeleteScheduledTask(wchar_t* taskName) {
         return actionResult;
     }
 	
-	VARIANT Vserver;
+	VARIANT Vhost;
 	VARIANT VNull;
-	OLEAUT32$VariantInit(&Vserver);
+	OLEAUT32$VariantInit(&Vhost);
 	OLEAUT32$VariantInit(&VNull);
+	Vhost.vt = VT_BSTR;
+	Vhost.bstrVal = OLEAUT32$SysAllocString(host);
 	
-	hr = pTaskService->lpVtbl->Connect(pTaskService, Vserver, VNull, VNull, VNull);
+	hr = pTaskService->lpVtbl->Connect(pTaskService, Vhost, VNull, VNull, VNull); 
     if (FAILED(hr)) {
         //MSVCRT$printf("ITaskService::Connect failed: %x\n", hr); //DEBUG
         pTaskService->lpVtbl->Release(pTaskService);
@@ -417,7 +421,7 @@ BOOL DeleteScheduledTask(wchar_t* taskName) {
     pTaskFolder->lpVtbl->Release(pTaskFolder);
 	pTaskService->lpVtbl->Release(pTaskService);
 	
-	OLEAUT32$VariantClear(&Vserver);
+	OLEAUT32$VariantClear(&Vhost);
 	OLEAUT32$VariantClear(&VNull);
 	OLE32$CoUninitialize();
 
@@ -441,10 +445,12 @@ int go(char *args, int len) {
 	int daysInterval = 0; 
 	WCHAR *delay = L"";
 	WCHAR *userID  = L""; 
+	WCHAR *hostName  = L""; 
 	
 	BeaconDataParse(&parser, args, len);
 	action = BeaconDataExtract(&parser, NULL);
 	taskName = BeaconDataExtract(&parser, NULL);
+	hostName = BeaconDataExtract(&parser, NULL);
 
 	if (MSVCRT$strcmp(action, "create") == 0) {
 		
@@ -476,10 +482,10 @@ int go(char *args, int len) {
 			delay = BeaconDataExtract(&parser, NULL);
 		}
 
-		res = CreateScheduledTask(triggerType, taskName, programPath, programArguments, startTime, expireTime, daysInterval, delay, userID);
+		res = CreateScheduledTask(triggerType, taskName, hostName, programPath, programArguments, startTime, expireTime, daysInterval, delay, userID);
 	}
 	else if (MSVCRT$strcmp(action, "delete") == 0) {
-		res = DeleteScheduledTask(taskName);
+		res = DeleteScheduledTask(taskName, hostName);
 	}
 	else {
 		BeaconPrintf(CALLBACK_ERROR,"Please specify one of the following options: create | delete\n");

KIT/TaskScheduler/taskscheduler.cna

@@ -1,25 +1,26 @@
 # author REDMED-X
 
 beacon_command_register(
-	"taskscheduler", "Create or delete a scheduled task.\n",
-	"INFO:\nCreate or delete a scheduled task.\n\n" .
-	"BASIC PARAMETERS:\n[create]: Indicate that you want to create a new scheduled task.\n[delete]: Indicate that you want to delete an existing scheduled task.\n[taskName]: The name of the scheduled task.\n[programPath]: Path to the program that you want to run like: C:\\Windows\\System32\\cmd.exe.\n[programArguments]: Arguments that you want to pass to the program like: \"/c C:\\Windows\\System32\\calc.exe\" or \"\" to leave it empty.\n[triggerType]: The trigger that signals the execution like: onetime, daily, logon, startup, lock, unlock. For more information, check the TRIGGER OPTIONS below.\n\n" .
+	"taskscheduler", "Create or delete a scheduled task (local and remote support).",
+	"INFO:\nCreate or delete a scheduled task on the current system or a remote host.\n\n" .
+	"BASIC ARGUMENTS:\n[create]: Indicate that you want to create a new scheduled task.\n[delete]: Indicate that you want to delete an existing scheduled task.\n[taskName]: The name of the scheduled task.\n[hostName]: The FQDN of the remote host or \"\" for the current system.\n[programPath]: Path to the program that you want to run like: C:\\Windows\\System32\\cmd.exe.\n[programArguments]: Arguments that you want to pass to the program like: \"/c C:\\Windows\\System32\\calc.exe\" or \"\" to leave it empty.\n[triggerType]: The trigger that signals the execution like: onetime, daily, logon, startup, lock, unlock. For more information, check the TRIGGER OPTIONS below.\n\n" .
 	"TRIGGER OPTIONS:\n[onetime]: Create task with trigger \"On a schedule one time\".\n[daily]: Create task with trigger \"On a schedule daily.\"\n[logon]: Create task with trigger \"At log on\" (requires admin privs if set for another user or all users).\n[startup]: Create task with trigger \"At startup\" (requires admin privs).\n[lock]: Create task with trigger \"On workstation lock\" (requires admin privs if set for another user or all users).\n[unlock]: Create task with trigger \"On workstation unlock\" (requires admin privs if set for another user or all users).\n\n" .
-	"TRIGGER SPECIFIC PARAMETERS:\n[startTime]: Start time of the trigger in format: 2023-03-24T12:08:00.\n[expireTime]: Expiration time of the trigger in format: 2023-03-24T12:08:00.\n[daysInterval]: Interval in number of days. For example: 1 or 3.\n[delay]: Random time delay after the start time in which the trigger is hit. Use format \"PT2H\" for hours and \"PT15M\" for minutes.\n[userID]: Specify the user for which the trigger is set in format: \"DOMAIN\\username\" for domain users, \"username\" for local system users and \"\" for all users (requires admin privs if set for another user or all users).\n\n" .
-	"USAGE:\ntaskscheduler create <taskName> <programPath> \"<(optional) programArguments>\" onetime <startTime>\ntaskscheduler create <taskName> <programPath> \"<(optional) programArguments>\" daily <startTime> <(optional) expireTime> <(optional) daysInterval> <(optional) delay>\ntaskscheduler create <taskName> <programPath> \"<(optional) programArguments>\" logon <(optional) userID>\ntaskscheduler create <taskName> <programPath> \"<(optional) programArguments>\" startup <(optional) delay>\ntaskscheduler create <taskName> <programPath> \"<(optional) programArguments>\" lock <(optional) userID> <(optional) delay>\ntaskscheduler create <taskName> <programPath> \"<(optional) programArguments>\" unlock <(optional) userID> <(optional) delay>\ntaskscheduler delete <taskName>\n\n" .
-	"EXAMPLES:\ntaskscheduler create TestTask C:\\Windows\\System32\\cmd.exe \"/c C:\\Windows\\System32\\calc.exe\" daily 2023-03-24T12:08:00 2023-03-28T12:14:00 1 PT2H\ntaskscheduler create NewTask C:\\Users\\Public\\Downloads\\legit.exe \"\" logon Testdomain\\Administrator\ntaskscheduler create OneDrive C:\\Data\\OneDrive.exe \"\" unlock \"\" PT5M\ntaskscheduler delete TestTask\n\n");
+	"TRIGGER SPECIFIC ARGUMENTS:\n[startTime]: Start time of the trigger in format: 2023-03-24T12:08:00.\n[expireTime]: Expiration time of the trigger in format: 2023-03-24T12:08:00.\n[daysInterval]: Interval in number of days. For example: 1 or 3.\n[delay]: Random time delay after the start time in which the trigger is hit. Use format \"PT2H\" for hours and \"PT15M\" for minutes.\n[userID]: Specify the user for which the trigger is set in format: \"DOMAIN\\username\" for domain users, \"username\" for local system users and \"\" for all users (requires admin privs if set for another user or all users).\n\n" .
+	"USAGE:\ntaskscheduler create <taskName> <(optional) hostName> <programPath> \"<(optional) programArguments>\" onetime <startTime>\ntaskscheduler create <taskName> <(optional) hostName> <programPath> \"<(optional) programArguments>\" daily <startTime> <(optional) expireTime> <(optional) daysInterval> <(optional) delay>\ntaskscheduler create <taskName> <(optional) hostName> <programPath> \"<(optional) programArguments>\" logon <(optional) userID>\ntaskscheduler create <taskName> <(optional) hostName> <programPath> \"<(optional) programArguments>\" startup <(optional) delay>\ntaskscheduler create <taskName> <programPath> \"<(optional) programArguments>\" lock <(optional) userID> <(optional) delay>\ntaskscheduler create <taskName> <programPath> \"<(optional) programArguments>\" unlock <(optional) userID> <(optional) delay>\ntaskscheduler delete <taskName>\n\n" .
+	"EXAMPLES:\ntaskscheduler create TestTask \"\" C:\\Windows\\System32\\cmd.exe \"/c C:\\Windows\\System32\\calc.exe\" daily 2023-03-24T12:08:00 2023-03-28T12:14:00 1 PT2H\ntaskscheduler create NewTask DB01.example.local C:\\Users\\Public\\Downloads\\legit.exe \"\" logon Testdomain\\Administrator\ntaskscheduler create OneDrive \"\" C:\\Data\\OneDrive.exe \"\" unlock \"\" PT5M\ntaskscheduler delete TestTask DB01.example.local\n\n");
 	
 alias taskscheduler {
     $bid = $1;
     $action = $2;
 	$taskName = $3; 
-    $programPath = $4;
-    $programArguments = $5;
-	$triggerType = $6; 
-	$optionalArg1 = $7;
-	$optionalArg2 = $8;
-	$optionalArg3 = $9;
-	$optionalArg4 = $10;
+	$host = $4; 
+    $programPath = $5;
+    $programArguments = $6;
+	$triggerType = $7; 
+	$optionalArg1 = $8;
+	$optionalArg2 = $9;
+	$optionalArg3 = $10;
+	$optionalArg4 = $11;
 
 
 	# Verify user input
@@ -79,28 +80,28 @@ alias taskscheduler {
 
 	# Pack our arguments
 	if ($action eq "delete") {
-       $arg_data  = bof_pack($bid, "zZ", $action, $taskName);
+       $arg_data  = bof_pack($bid, "zZZ", $action, $taskName, $host);
 	   blog($bid, "Tasked to delete scheduled task..");
     }
 	else {
 		blog($bid, "Tasked to create scheduled task..");
 		if ($triggerType eq "onetime") {
-			$arg_data  = bof_pack($bid, "zZZZzZ", $action, $taskName, $programPath, $programArguments, $triggerType, $optionalArg1);
+			$arg_data  = bof_pack($bid, "zZZZZzZ", $action, $taskName, $host, $programPath, $programArguments, $triggerType, $optionalArg1);
 		}
 		if ($triggerType eq "daily") {
-			$arg_data  = bof_pack($bid, "zZZZzZZiZ", $action, $taskName, $programPath, $programArguments, $triggerType, $optionalArg1, $optionalArg2, $optionalArg3, $optionalArg4);
+			$arg_data  = bof_pack($bid, "zZZZZzZZiZ", $action, $taskName, $host, $programPath, $programArguments, $triggerType, $optionalArg1, $optionalArg2, $optionalArg3, $optionalArg4);
 		}
 		if ($triggerType eq "logon") {
-			$arg_data  = bof_pack($bid, "zZZZzZ", $action, $taskName, $programPath, $programArguments, $triggerType, $optionalArg1);
+			$arg_data  = bof_pack($bid, "zZZZZzZ", $action, $taskName, $host, $programPath, $programArguments, $triggerType, $optionalArg1);
 		}
 		if ($triggerType eq "startup") {
-			$arg_data  = bof_pack($bid, "zZZZzZ", $action, $taskName, $programPath, $programArguments, $triggerType, $optionalArg1);
+			$arg_data  = bof_pack($bid, "zZZZZzZ", $action, $taskName, $host, $programPath, $programArguments, $triggerType, $optionalArg1);
 		}
 		if ($triggerType eq "lock") {
-			$arg_data  = bof_pack($bid, "zZZZzZZ", $action, $taskName, $programPath, $programArguments, $triggerType, $optionalArg1, $optionalArg2);
+			$arg_data  = bof_pack($bid, "zZZZZzZZ", $action, $taskName, $host, $programPath, $programArguments, $triggerType, $optionalArg1, $optionalArg2);
 		}
 		if ($triggerType eq "unlock") {
-			$arg_data  = bof_pack($bid, "zZZZzZZ", $action, $taskName, $programPath, $programArguments, $triggerType, $optionalArg1, $optionalArg2);
+			$arg_data  = bof_pack($bid, "zZZZZzZZ", $action, $taskName, $host, $programPath, $programArguments, $triggerType, $optionalArg1, $optionalArg2);
 		}
 	}