TaskHound

<p align="center"> <img width="350" height="350" alt="TaskHound Logo" src="https://github.com/user-attachments/assets/325b57e9-b96a-4de7-9974-736fd58fa70c" /> </p> <p align="center"> <strong>Windows Privileged Scheduled Task Discovery Tool</strong> for fun and profit. </p> <p align="center"> <a href="https://github.com/1r0BIT/TaskHound/releases"> <img src="https://img.shields.io/github/v/release/1r0BIT/TaskHound?style=flat-square&logo=github&color=blue" alt="Latest Release"> </a> <a href="https://bloodhound.specterops.io/"> <img src="https://img.shields.io/badge/BloodHound-OpenGraph-red.svg?style=flat-square&logo=neo4j" alt="BloodHound OpenGraph"> </a> <a href="https://www.python.org/"> <img src="https://img.shields.io/badge/python-3.11+-blue.svg?style=flat-square&logo=python&logoColor=white" alt="Python 3.11+"> </a> <br> <a href="https://deepwiki.com/1r0BIT/TaskHound"> <img src="https://deepwiki.com/badge.svg" alt="Ask DeepWiki"> </a> <a href="https://twitter.com/0xr0BIT"> <img src="https://img.shields.io/badge/Twitter-@0xr0BIT-1DA1F2?style=flat-square&logo=twitter&logoColor=white" alt="Twitter"> </a> <a href="https://r0bit.io"> <img src="https://img.shields.io/badge/Blog-r0bit.io-orange?style=flat-square&logo=rss&logoColor=white" alt="Blog"> </a> </p> <hr />

TaskHound hunts for Windows scheduled tasks that run with privileged accounts and stored credentials. It enumerates tasks over SMB, parses XMLs, and identifies high-value attack opportunities through BloodHound integration.

For backstory/lore and detailed explanations: see the associated Blog Posts - Part 1 and Part 2.

Key Features

| Feature | Description | |---------|-------------| | Tier 0 & High Value Detection | Automatically identifies tasks running as Domain Admins, Enterprise Admins, and other privileged accounts | | BloodHound Integration | Connect to live BHCE/Legacy instances or ingest exports for high-value user detection | | OpenGraph Support | Visualize scheduled tasks as attack path nodes in BloodHound CE | | LAPS Integration | Auto-retrieve and use LAPS passwords (both Windows LAPS and Legacy) for per-host authentication | | DPAPI Credential Extraction | Collect and decrypt DPAPI blobs containing stored task credentials | | Multi-threaded Scanning | Parallel target processing with rate limiting for large environments | | LDAP-based Tier-0 Detection | Detect privileged accounts via group membership without BloodHound | | Credential Validation | Verify if stored task passwords are still valid via RPC | | Offline Analysis | Process mounted disk images or previously collected XMLs | | Multiple Output Formats | Plain text, JSON, CSV, and HTML security reports with severity scoring | | SID Resolution | Multi-tier resolution via BloodHound → Cache → LSARPC → LDAP → GC | | Caching | SQLite-based persistent cache for SID lookups and LAPS credentials |

Quick Start

# Install
git clone https://github.com/1r0BIT/TaskHound.git
cd TaskHound
python3 -m venv .venv && source .venv/bin/activate
pip install -r requirements.txt && pip install .

# Basic usage - single target
taskhound -u homer.simpson -p 'Doh!123' -d thesimpsons.local -t moe.thesimpsons.local

# Multiple targets with threading
taskhound -u homer.simpson -p 'Doh!123' -d thesimpsons.local --targets-file hosts.txt --threads 10

# Auto-discover all domain computers
taskhound -u homer.simpson -p 'Doh!123' -d thesimpsons.local --dc-ip 10.0.0.1 --auto-targets --threads 20

# With LAPS - auto-retrieves per-host local admin passwords
taskhound -u homer.simpson -p 'Doh!123' -d thesimpsons.local --targets-file hosts.txt --laps --threads 10

# Offline analysis of mounted disk image
taskhound --offline-disk /mnt/disk

Auth Support: TaskHound supports most major authentication mechanisms including password, NTLM hash, Kerberos (also with ccache), and AES key authentication.

Configuration File

TaskHound supports TOML configuration files for persistent settings. Create taskhound.toml in your working directory or ~/.config/taskhound/:

[authentication]
username = "svc_taskhound"
domain = "THESIMPSONS.LOCAL"

[target]
dc_ip = "10.0.0.1"
threads = 10
timeout = 30

[bloodhound]
live = true
connector = "http://127.0.0.1:8080"
api_key = "${BH_API_KEY}"      # Use env vars for secrets
api_key_id = "${BH_API_KEY_ID}"
type = "bhce"

[bloodhound.opengraph]
enabled = true
output_dir = "./opengraph"

[laps]
enabled = true

[cache]
enabled = true
ttl = 86400  # 24 hours

Priority: CLI args > Environment variables > Local config > User config > Defaults

AdaptixC2 Integration

TaskHound's BOF is included in the Adaptix Extension-Kit under SAR-BOF/taskhound/.

Demo Output

TTTTT  AAA   SSS  K   K H   H  OOO  U   U N   N DDDD
  T   A   A S     K  K  H   H O   O U   U NN  N D   D
  T   AAAAA  SSS  KKK   HHHHH O   O U   U N N N D   D
  T   A   A     S K  K  H   H O   O U   U N  NN D   D
  T   A   A SSSS  K   K H   H  OOO   UUU  N   N DDDD

                     by 0xr0BIT

[+] Connecting to BloodHound CE at http://127.0.0.1:8080
[+] BloodHound connection successful (API v2)
[+] High Value target data loaded (42 users)
[+] OpenGraph generation enabled (auto-upload active)
[*] Processing target: moe.thesimpsons.local
[+] moe.thesimpsons.local: Connected via SMB
[+] moe.thesimpsons.local: Local Admin Access confirmed
[*] moe.thesimpsons.local: Enumerating scheduled tasks (skipping \Microsoft)
[+] moe.thesimpsons.local: Found 12 tasks (3 privileged, 2 with stored credentials)

┌──────────────────────────────────────────────────────────────────────────────┐
│ [TIER-0] moe.thesimpsons.local - \DuffBrewery\BackupJob                      │
├──────────────────────────────────────────────────────────────────────────────┤
│ Enabled          │ True                                                      │
│ RunAs            │ THESIMPSONS\Administrator                                 │
│ What             │ C:\Scripts\backup_beer_recipes.ps1                        │
│ Author           │ THESIMPSONS\burns.monty                                   │
│ Date             │ 2025-06-15T02:30:00                                       │
│ Trigger          │ Calendar (starts 2025-06-15 02:30, daily)                 │
│ Reason           │ Tier 0 - Domain Admins membership                         │
│ Cred Validation  │ CONFIRMED_VALID                                           │
│ Pwd Analysis     │ Password unchanged AND ran within schedule - confirmed    │
└──────────────────────────────────────────────────────────────────────────────┘

┌──────────────────────────────────────────────────────────────────────────────┐
│ [PRIV] moe.thesimpsons.local - \KrustyBurger\InventorySync                   │
├──────────────────────────────────────────────────────────────────────────────┤
│ Enabled          │ True                                                      │
│ RunAs            │ THESIMPSONS\svc_krusty                                    │
│ What             │ C:\KrustyApps\sync.exe --silent                           │
│ Author           │ THESIMPSONS\carlson.carl                                  │
│ Date             │ 2025-03-10T08:00:00                                       │
│ Trigger          │ Calendar (starts 2025-03-10 08:00, every 4 hours)         │
│ Reason           │ High Value match found in BloodHound                      │
│ Cred Validation  │ DEFINITELY_STALE                                          │
│ Pwd Analysis     │ Password changed AFTER last run - credentials are stale   │
└──────────────────────────────────────────────────────────────────────────────┘

╭─────────────────────────── SCAN COMPLETE ────────────────────────────────────╮
│   [+] Succeeded: 1                                                           │
│   [-] Failed: 0                                                              │
│   Total time: 2.34s                                                          │
│   Avg per target: 2340ms                                                     │
╰──────────────────────────────────────────────────────────────────────────────╯

╭─────────────────────────── TASK SUMMARY ─────────────────────────────────────╮
│  Hostname                  Tier-0    Privileged    Normal                    │
│  moe.thesimpsons.local        1           2           9                      │
╰──────────────────────────────────────────────────────────────────────────────╯

╭─────────────────────── BLOODHOUND OPENGRAPH ─────────────────────────────────╮
│   [+] Generated 3 nodes, 5 edges                                             │
│   [+] Uploaded to BloodHound successfully                                    │
│   [*] JSON saved to: ./opengraph/taskhound_data.json                         │
╰──────────────────────────────────────────────────────────────────────────────╯

---

BloodHound Integration

TaskHound supports both Legacy BloodHound (Neo4j) and BloodHound Community Edition (BHCE) with automatic format detection.

Live Connection

# BHCE with API Key (recommended)
taskhound -u homer.simpson -p 'Doh!123' -d thesimpsons.local -t moe.thesimpsons.local \
  --bh-live --bhce --bh-connector http://127.0.0.1:8080 \
  --bh-api-key "YOUR_API_KEY" --bh-api-key-id "YOUR_KEY_ID"

# BHCE with username/password
taskhound -u homer.simpson -p 'Doh!123' -d thesimpsons.local -t moe.thesimpsons.local \
  --bh-live --bhce --bh-connector http://127.0.0.1:8080 \
  --bh-user admin --bh-password password

# Legacy BloodHound (Neo4j)
taskhound -u homer.simpson -p 'Doh!123' -d thesimpsons.local -t moe.thesimpsons.local \
  --bh-live --legacy --bh-connector bolt://127.0.0.1:7687 \
  --bh-user neo4j --bh-password password

Tier 0