AI prompts
base on A C# port from Invoke-GhostTask # SharpGhostTask
A C# port from Invoke-GhostTask
## Description
Tampering with Scheduled Task has been known and already worked with, in simply editing the tasks using the GUI interface or just the schtasks command when this happens they will leave an EventLog behind (4698)
![image](https://github.com/dmcxblue/SharpGhostTask/assets/41899653/f0794e99-4565-4f19-b151-b5398128dc1f)
When editing a task this will also leave an EventLog behind (4702) we can see in the screenshot below that there was an update on a Task
![image](https://github.com/dmcxblue/SharpGhostTask/assets/41899653/7ccf5ee1-794b-49d1-8b9d-4165293e1a82)
Scheduled Tasks can be edited in a more complicated way via the Registry Keys, that's where [Invoke-GhostTask](https://gist.github.com/Workingdaturah/991de2d176b4b8c8bafd29cc957e20c2) by [@SchrodingersAV](https://twitter.com/SchrodingersAV) comes in handy. SharpGhostTask basically uses the method from Invoke-GhostTask to edit the Registry Keys manipulating the binary values of the Task that is targetted.
We can see below how this looks in the Registry Keys
![image](https://github.com/dmcxblue/SharpGhostTask/assets/41899653/7aaa8467-cbf6-47b2-87ca-381efb3b531c)
SharpGhostTask will replace the binary value without breaking the rest of the Scheduled Task. This way replacing it with a payload that we control, in the following example we see the replaced binary value this time pointing to ```calc```
![image](https://github.com/dmcxblue/SharpGhostTask/assets/41899653/1094048a-7d78-4b29-a4c8-51d8f6c8beab)
By replacing this value via Registry Keys we also avoid the (4702) log from the Event Viewer, but monitoring the Registry Keys can be a giveaway. And this also comes with Challenges you will need SYSTEM Access to be able to edit these Registry Key Tasks. I've had luck executing the Task once it was changed, but to be safe a Restart is required.
## Demo
![SharpGhostTask](https://github.com/dmcxblue/SharpGhostTask/assets/41899653/d2045f62-cb50-4197-9205-78d285b4858b)
", Assign "at most 3 tags" to the expected json: {"id":"6713","tags":[]} "only from the tags list I provide: [{"id":77,"name":"3d"},{"id":89,"name":"agent"},{"id":17,"name":"ai"},{"id":54,"name":"algorithm"},{"id":24,"name":"api"},{"id":44,"name":"authentication"},{"id":3,"name":"aws"},{"id":27,"name":"backend"},{"id":60,"name":"benchmark"},{"id":72,"name":"best-practices"},{"id":39,"name":"bitcoin"},{"id":37,"name":"blockchain"},{"id":1,"name":"blog"},{"id":45,"name":"bundler"},{"id":58,"name":"cache"},{"id":21,"name":"chat"},{"id":49,"name":"cicd"},{"id":4,"name":"cli"},{"id":64,"name":"cloud-native"},{"id":48,"name":"cms"},{"id":61,"name":"compiler"},{"id":68,"name":"containerization"},{"id":92,"name":"crm"},{"id":34,"name":"data"},{"id":47,"name":"database"},{"id":8,"name":"declarative-gui "},{"id":9,"name":"deploy-tool"},{"id":53,"name":"desktop-app"},{"id":6,"name":"dev-exp-lib"},{"id":59,"name":"dev-tool"},{"id":13,"name":"ecommerce"},{"id":26,"name":"editor"},{"id":66,"name":"emulator"},{"id":62,"name":"filesystem"},{"id":80,"name":"finance"},{"id":15,"name":"firmware"},{"id":73,"name":"for-fun"},{"id":2,"name":"framework"},{"id":11,"name":"frontend"},{"id":22,"name":"game"},{"id":81,"name":"game-engine "},{"id":23,"name":"graphql"},{"id":84,"name":"gui"},{"id":91,"name":"http"},{"id":5,"name":"http-client"},{"id":51,"name":"iac"},{"id":30,"name":"ide"},{"id":78,"name":"iot"},{"id":40,"name":"json"},{"id":83,"name":"julian"},{"id":38,"name":"k8s"},{"id":31,"name":"language"},{"id":10,"name":"learning-resource"},{"id":33,"name":"lib"},{"id":41,"name":"linter"},{"id":28,"name":"lms"},{"id":16,"name":"logging"},{"id":76,"name":"low-code"},{"id":90,"name":"message-queue"},{"id":42,"name":"mobile-app"},{"id":18,"name":"monitoring"},{"id":36,"name":"networking"},{"id":7,"name":"node-version"},{"id":55,"name":"nosql"},{"id":57,"name":"observability"},{"id":46,"name":"orm"},{"id":52,"name":"os"},{"id":14,"name":"parser"},{"id":74,"name":"react"},{"id":82,"name":"real-time"},{"id":56,"name":"robot"},{"id":65,"name":"runtime"},{"id":32,"name":"sdk"},{"id":71,"name":"search"},{"id":63,"name":"secrets"},{"id":25,"name":"security"},{"id":85,"name":"server"},{"id":86,"name":"serverless"},{"id":70,"name":"storage"},{"id":75,"name":"system-design"},{"id":79,"name":"terminal"},{"id":29,"name":"testing"},{"id":12,"name":"ui"},{"id":50,"name":"ux"},{"id":88,"name":"video"},{"id":20,"name":"web-app"},{"id":35,"name":"web-server"},{"id":43,"name":"webassembly"},{"id":69,"name":"workflow"},{"id":87,"name":"yaml"}]" returns me the "expected json"