In the world of cybersecurity, overlooked Windows scheduled tasks often become easy targets for attackers seeking to escalate privileges.
TaskHound, a new open-source tool from security researcher 0xr0BIT, simplifies the hunt for these vulnerabilities by enumerating tasks over SMB connections, parsing their XML definitions, and flagging those running under privileged accounts with stored credentials.
Designed for penetration testers and red teams, it integrates seamlessly with BloodHound to highlight high-value attack paths, turning tedious manual reviews into automated insights.
Released on GitHub, TaskHound addresses common pain points in Active Directory assessments by identifying credential-storing tasks across networks, thereby revealing opportunities for domain dominance.
The tool’s development stems from real-world pentesting frustrations, where sifting through task XML files filled with complex schemas like <Principal id=”Author”> and <LogonType>Password</LogonType> wastes hours.
TaskHound automates this by mounting remote C$ shares, crawling directories such as C:\Windows\System32\Tasks, and extracting key fields, including RunAs user IDs, command lines (e.g., C:\Scripts\backup.exe –daily), triggers (e.g., daily at 23:00), and creation dates.
It skips noisy Microsoft tasks by default for speed, but can include them via flags like –include-ms.
Enabled tasks with LogonType=Password are prioritized because they store credentials that can be decrypted using DPAPI blobs, potentially yielding active domain admin passwords.
Key Features and Detection
TaskHound excels at tiered privilege detection, classifying tasks as TIER-0 (e.g., Domain Admins via SID patterns such as S-1-5-21-*-512), PRIVILEGED (high-value users), or standard.
It loads BloodHound exports or connects live to Legacy or Community Edition (BHCE) instances, querying for AdminSDHolder (admincount=1) or for groups such as Enterprise Admins.
For SIDs in tasks, such as S-1-5-21-3211413907-14631080-1147255650-500, it resolves them via BloodHound or LDAP, supporting dedicated credentials (e.g., –ldap-user marge.simpson) to avoid NTLM auth issues with NTLM hashes.
Password analysis compares task creation dates against user password ages from BloodHound, flagging stale ones (e.g., “Password changed AFTER task creation”). Experimental DPAPI support extracts blobs from systemprofile\AppData\Local\Microsoft\Credentials and decrypts them with a provided SYSTEM key (e.g., –dpapi-key 0x51e43225…), detecting Credential Guard via registry checks.
A Beacon Object File (BOF) version enables stealthy collection in C2 frameworks such as Cobalt Strike, producing XML for offline parsing.
Outputs include console summaries with tables (e.g., hostname | TIER-0_TASKS | PRIVILEGED_TASKS), JSON/CSV exports, and raw XML backups.
In a demo against moe.thesimpsons.local, it found a TIER-0 BackupTask running as Administrator, suggesting “Try DPAPI Dump / Task Manipulation” for abuse.
BloodHound Integration and Future Plans
TaskHound’s standout feature is OpenGraph support for BHCE, generating custom nodes (ScheduledTask with 19+ properties like credentialsstored: true) and edges (e.g., Computer → HasTaskWithStoredCreds → Task → RunsAs → User).
This visualizes paths like (Owned User) → AdminTo → (Computer) → HasTask → (Privileged User), using Cypher queries such as MATCH p = (c: Computer)-[: HasTaskWithStoredCreds]->(t:scheduledtask)-[: RunsAs]->(u) RETURN p. Files upload directly via API (e.g., –bh-connector http://127.0.0.1:8080), with config file support for tokens.
Installation is straightforward: create a venv, pip install -r requirements.txt, then run taskhound -u user -p pass -d domain -t target.
For offline mode, process collected XMLs with –offline. OPSEC notes warn about Impacket IOCs and recommend BOF for evasion.
The roadmap includes MITRE ATT&CK mappings, async processing for large environments, and LAPS integration.
As 0xr0BIT notes, it’s for authorized audits only no warranties taskHound streamlines threat hunting, empowering defenders to remediate these persistent risks before attackers exploit them.
