A new open-source security tool, TaskHound, helps penetration testers and security professionals identify high-risk Windows scheduled tasks that could expose systems to attacks.
The tool automatically discovers tasks running with privileged accounts and stored credentials, making it a valuable addition to security assessments.
What Makes TaskHound Different?
TaskHound stands out by automating the discovery of dangerous scheduled tasks across Windows networks.
Instead of manually searching through system logs, the tool scans remote machines over SMB and parses task XML files to identify security weaknesses.
| Feature | Use Case |
|---|---|
| Tier 0 Detection | Identify high-value administrative account exposure |
| BloodHound Integration | Correlate tasks with attack paths for risk assessment |
| Password Analysis | Work with the existing BloodHound infrastructure |
| Offline Analysis | Analyze tasks in OPSEC-conscious environments |
| BOF Implementation | Beacon-based operations without direct network access |
| Credential Guard Detection | Evaluate DPAPI dump success likelihood |
| SID Resolution | Improve readability in mixed SID/username environments |
| Multi-format Support | Work with existing BloodHound infrastructure |
| Flexible Authentication | Flexible authentication for various network scenarios |
| Multiple Output Formats | Integrate findings into security workflows and reporting |
It looks for tasks running as administrative accounts, privileged users, or Tier 0 accounts, typically the highest-value targets for attackers.
The tool integrates with BloodHound, a popular network security visualization platform.
This integration enables security teams to automatically correlate scheduled tasks with BloodHound’s attack path data, revealing which tasks pose the most significant risk in their environment.
TaskHound includes several powerful features for threat hunters. It automatically detects tasks assigned to Tier 0 users, such as Domain Admins and Enterprise Admins.
The tool analyzes when credentials were last changed compared to when tasks were created, helping identify old passwords that could be vulnerable to offline cracking.
The platform supports both modern BloodHound Community Edition and legacy BloodHound formats, making it compatible with existing security infrastructure.
TaskHound can also work offline, analyzing previously collected XML files without requiring direct network access.
For operators using AdaptixC2, the tool includes a Beacon Object File implementation. During a penetration test, TaskHound quickly identifies exploitation opportunities.
Tasks running under compromised accounts can be manipulated to gain system access.
The tool provides detailed reporting showing task locations, associated credentials, creation dates, and recommended next steps for each finding.
The creator emphasizes strict OPSEC (operational security) considerations. Since the tool relies on standard SMB operations, network defenders could detect its activity.
For sensitive assessments, users can employ the standalone BOF version or manually collect tasks for offline analysis.
The project roadmap includes a direct BloodHound database connector and a dedicated NetExec module to expand integration with other popular security frameworks.
The GitHub developer also plans automated credential extraction for offline decryption.
TaskHound fills an essential gap in Windows privilege-escalation assessment, automating a tedious manual process while providing actionable intelligence to security teams protecting enterprise networks.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
