Forum Discussion

LewisMutton's avatar
LewisMutton
Icon for Bronze III rankBronze III
2 months ago

Trick or Treat on Specter Street: Ghost of the SOC

I know it's one of the challenge labs but I'm fairly sure I'm missing something extremely straight forward, it's 100 point difficulty 4.... Someone help me please! I'm banging my head against a wall ...
challenges
help & support
steven's avatar
steven
Icon for Silver II rankSilver II
24 days ago

maybe I was too radical, i've deleted everything which was not by windows :)

Get-ScheduledTask | Where-Object { $_.TaskPath -notlike '\Microsoft\*' } | ForEach-Object {
  try {
    Disable-ScheduledTask -TaskName $_.TaskName -TaskPath $_.TaskPath -ErrorAction Stop | Out-Null
    Unregister-ScheduledTask -TaskName $_.TaskName -TaskPath $_.TaskPath -Confirm:$false -ErrorAction Stop
    Write-Host "Removed: $($_.TaskPath)$($_.TaskName)"
  } catch {
    Write-Warning "Failed: $($_.TaskPath)$($_.TaskName) — $($_.Exception.Message)"
  }
}

solved the lab and removed some services too much, but hey, .. to be on the safe side :)

jitu's avatar
jitu
Icon for Bronze I rankBronze I
15 days ago

How do you run this with the service account credential? I schedule a task and chose to run it with the svc credential, but it does not delete the persistence. I just removes some local tasks for the normal user.

  • edgarloredo's avatar
    edgarloredo
    Icon for Bronze III rankBronze III
    15 days ago

    If you already have svc credentials, try to open Schedule Task as svc user and you can easily find and delete the task