TaskHound Tool – Detects Windows Scheduled Tasks Running with Elevated Privileges and Stored Credentials

A new open-source security tool, TaskHound, helps penetration testers and security professionals identify high-risk Windows scheduled tasks that could expose systems to attacks.

The tool automatically discovers tasks running with privileged accounts and stored credentials, making it a valuable addition to security assessments.

What Makes TaskHound Different?

TaskHound stands out by automating the discovery of dangerous scheduled tasks across Windows networks.

Instead of manually searching through system logs, the tool scans remote machines over SMB and parses task XML files to identify security weaknesses.

Feature	Use Case
Tier 0 Detection	Identify high-value administrative account exposure
BloodHound Integration	Correlate tasks with attack paths for risk assessment
Password Analysis	Work with the existing BloodHound infrastructure
Offline Analysis	Analyze tasks in OPSEC-conscious environments
BOF Implementation	Beacon-based operations without direct network access
Credential Guard Detection	Evaluate DPAPI dump success likelihood
SID Resolution	Improve readability in mixed SID/username environments
Multi-format Support	Work with existing BloodHound infrastructure
Flexible Authentication	Flexible authentication for various network scenarios
Multiple Output Formats	Integrate findings into security workflows and reporting

It looks for tasks running as administrative accounts, privileged users, or Tier 0 accounts, typically the highest-value targets for attackers.

The tool integrates with BloodHound, a popular network security visualization platform.

This integration enables security teams to automatically correlate scheduled tasks with BloodHound’s attack path data, revealing which tasks pose the most significant risk in their environment.

TaskHound includes several powerful features for threat hunters. It automatically detects tasks assigned to Tier 0 users, such as Domain Admins and Enterprise Admins.

The tool analyzes when credentials were last changed compared to when tasks were created, helping identify old passwords that could be vulnerable to offline cracking.

The platform supports both modern BloodHound Community Edition and legacy BloodHound formats, making it compatible with existing security infrastructure.

TaskHound can also work offline, analyzing previously collected XML files without requiring direct network access.

For operators using AdaptixC2, the tool includes a Beacon Object File implementation. During a penetration test, TaskHound quickly identifies exploitation opportunities.

Tasks running under compromised accounts can be manipulated to gain system access.

The tool provides detailed reporting showing task locations, associated credentials, creation dates, and recommended next steps for each finding.

The creator emphasizes strict OPSEC (operational security) considerations. Since the tool relies on standard SMB operations, network defenders could detect its activity.

For sensitive assessments, users can employ the standalone BOF version or manually collect tasks for offline analysis.

The project roadmap includes a direct BloodHound database connector and a dedicated NetExec module to expand integration with other popular security frameworks.

The GitHub developer also plans automated credential extraction for offline decryption.

TaskHound fills an essential gap in Windows privilege-escalation assessment, automating a tedious manual process while providing actionable intelligence to security teams protecting enterprise networks.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.