TaskHound: New Open-Source Tool Audits Windows Scheduled Tasks for Privileged Credentials and Tier-0 Risks

A developer operating under the handle 0xr0BIT has released a new Windows security-audit tool called TaskHound. It is designed to discover scheduled tasks that run with elevated privileges or that rely on stored credentials—assets that are particularly attractive to adversaries.

TaskHound enumerates tasks over SMB, parses their XML descriptors, and highlights dangerous elements. It places special emphasis on Tier-0 tasks executed on behalf of domain administrators, controllers, and other high-value accounts.

Results may be exported to BloodHound and BloodHound Community Edition formats to construct attack graphs. The tool auto-detects output formats and employs built-in heuristics to surface “high-value” tasks.

The utility includes password analysis: it compares the password-change timestamp against the task-creation date to assess whether stored secrets might be exploitable via DPAPI dumps. An offline mode supports analysis of previously collected XML files without connecting to hosts. For C2 environments, there is a dedicated BOF implementation compatible with AdaptixC2.

Authentication may be performed via plaintext passwords, NTLM hashes, or Kerberos tickets. Output options include plain text, JSON, and CSV, and the original XML files are preserved for subsequent re-parsing.

Experimental features include a remote-registry check for Credential Guard status; the developer cautions that these capabilities are unsafe for production systems and have been validated only in lab environments.

From an OPSEC perspective, TaskHound relies on impacket for SMB/RPC/Kerberos operations, which yields standard network indicators. To reduce risk, the author recommends using the BOF implementation or performing offline XML analysis.

Planned enhancements comprise a NetExec module, automated extraction of credential blobs for offline decryption, and support for custom Tier-0 mappings. Integration with OpenGraph for visualizing attack chains is also under consideration.

The developer stresses that TaskHound is intended solely for auditing and training purposes and must be used only in environments where explicit authorization from the infrastructure owner has been obtained.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy