NT Automated Tasks / Drive Mappings Vulnerability
Any automated task that relies on mapped drives and runs at a higher privelege level than the logged-on user can be exploited by changing the drive mapping. By replicating the directory structure of the intended drive, and replacing the contents of the scheduled executables or configuration files with other data, it is possible for a local attacker to cause arbitrary code to be executed at an elevated privelege level.
\\Workstation has the following drive mapping:
and there is an AT job that runs S:\Daily.bat every day as the Local Administrator.
Now all the attacker has to do is replace the S: mapping with one that specifies a target where the attacker has write privileges (\\Workstation\C$ for example). Then if the batch file C:\Daily.bat is created, it will be run as Local Administrator.