Forum Discussion

LewisMutton's avatar
LewisMutton
Icon for Ambassador rankAmbassador
3 months ago

Trick or Treat on Specter Street: Ghost of the SOC

I know it's one of the challenge labs but I'm fairly sure I'm missing something extremely straight forward, it's 100 point difficulty 4.... Someone help me please! I'm banging my head against a wall ...
challenges
help & support
steven's avatar
steven
Icon for Ambassador rankAmbassador
2 months ago

maybe I was too radical, i've deleted everything which was not by windows :)

Get-ScheduledTask | Where-Object { $_.TaskPath -notlike '\Microsoft\*' } | ForEach-Object {
  try {
    Disable-ScheduledTask -TaskName $_.TaskName -TaskPath $_.TaskPath -ErrorAction Stop | Out-Null
    Unregister-ScheduledTask -TaskName $_.TaskName -TaskPath $_.TaskPath -Confirm:$false -ErrorAction Stop
    Write-Host "Removed: $($_.TaskPath)$($_.TaskName)"
  } catch {
    Write-Warning "Failed: $($_.TaskPath)$($_.TaskName) — $($_.Exception.Message)"
  }
}

solved the lab and removed some services too much, but hey, .. to be on the safe side :)

  • SamDickison's avatar
    SamDickison
    Icon for Community Manager rankCommunity Manager
    2 months ago

    Purge the services!

  • jitu's avatar
    jitu
    Bronze I
    2 months ago

    How do you run this with the service account credential? I schedule a task and chose to run it with the svc credential, but it does not delete the persistence. I just removes some local tasks for the normal user.

    • edgarloredo's avatar
      edgarloredo
      Bronze III
      2 months ago

      If you already have svc credentials, try to open Schedule Task as svc user and you can easily find and delete the task