Forum Discussion
AmbassadorTrick or Treat on Specter Street: Ghost of the SOC
Ambassadormaybe I was too radical, i've deleted everything which was not by windows :)
Get-ScheduledTask | Where-Object { $_.TaskPath -notlike '\Microsoft\*' } | ForEach-Object {
try {
Disable-ScheduledTask -TaskName $_.TaskName -TaskPath $_.TaskPath -ErrorAction Stop | Out-Null
Unregister-ScheduledTask -TaskName $_.TaskName -TaskPath $_.TaskPath -Confirm:$false -ErrorAction Stop
Write-Host "Removed: $($_.TaskPath)$($_.TaskName)"
} catch {
Write-Warning "Failed: $($_.TaskPath)$($_.TaskName) — $($_.Exception.Message)"
}
}solved the lab and removed some services too much, but hey, .. to be on the safe side :)
How do you run this with the service account credential? I schedule a task and chose to run it with the svc credential, but it does not delete the persistence. I just removes some local tasks for the normal user.
edgarloredoAdvocate
If you already have svc credentials, try to open Schedule Task as svc user and you can easily find and delete the task
PRABAKARANRAMAMURTHYHow did you get the svc creds? edgarloredo
I think I've done this but the lab isn't registering it. I have the service account, I have opened Task Scheduler with and disabled and deleted the tasks. What am I still missing? It's taken far toooo long for a level 4 lab!
- PRABAKARANRAMAMURTHY
Have you got the credentials? jitu
