00:00:12:21 - 00:00:34:07
Jared Atkinson
Welcome back to the Know Your Adversary podcast. I'm Jared Atkinson, I'm Justin Kohler, and today we're joined by Robin Unglaub. And he's going to be talking to us about yeah we were practicing his name off off camera here. And I think I got pretty close. But Robin is going to be talking to us about Task Hound, which is a BloodHound open graph extension looking at scheduled tasks.

00:00:34:07 - 00:00:51:07
Jared Atkinson
And maybe there's some additional little Easter eggs that we might stumble upon as we as we talk about it. But, Robin, do you want to take a moment and kind of like, tell us about you, tell us about your background, kind of what got you interested in interacting with BloodHound and specifically looking at scheduled tasks.

00:00:51:09 - 00:01:25:10
Robin Unglaub
Pure desperation, I can tell you that. Yeah. So hey guys, I'm Robin, I am 35 years old, coming from from Germany. And before joining the offset workforce, I spent the past 13 years in the German military. I cannot dive too deep into the topic, but I was affectionate of it from a from a very, very early age on and essentially like did the basic stuff, even for the military then and essentially picked up hacking as a hobby in 2018.

00:01:25:10 - 00:01:40:14
Robin Unglaub
I think, like when the big wave of Drag Me and Hacker Box came and my current employer project just tagged along and said, you're coming with us for a coffee, and I'm not allowed to leave the basement ever since. So.

00:01:40:16 - 00:01:42:13
Jared Atkinson
Literally in a basement right now, right?

00:01:42:15 - 00:02:11:03
Robin Unglaub
Yeah, yeah, yeah, I am literally it's like if you if you can see maybe, maybe you can pan out and post in my new office, which is not renovated yet, but. Well, the thing with scheduled tasks started way earlier than the tool was released, because I always had issues with scheduled tasks, even like we found some in an engagement and the customer had questions about it.

00:02:11:04 - 00:02:41:07
Robin Unglaub
Like did you find all of them? Or what is the blast radius? What is the impact? And there was never like a real comfortable answer to that. Like either during an engagement, during an OP, you always had to scrape stuff manually with above trying to be sneaky or just randomly do it, pop it up against everything you compromise so far, and then still had to manually pass everything to see if the stuff that you looted was actually valuable in any sense.

00:02:41:07 - 00:02:52:19
Robin Unglaub
So yeah, that's essentially how TaskHound was born, because I was desperate and completely fed up with manually reading scheduled tasks. And also at 2 a.m. at night.

00:02:52:21 - 00:03:10:10
Justin Kohler
Robin. What, what? Just a just a like very basics for people who might not be familiar. What can you explain a scheduled task like what system do these live in and what do people usually use for? What do people usually use them for? And then how do how do attackers abuse them?

00:03:10:15 - 00:03:36:13
Robin Unglaub
Yeah. So schedule tasks. If you're familiar with Linux, think like cron jobs just for on the windows basis. It's essentially like the windows do this thing at that time without me being present. Ideally a service. So you can define tasks, commands that need to run, programs that need to be launched, scripts and everything, and essentially everything you could do on a computer on a command line basis.

00:03:36:15 - 00:04:03:04
Robin Unglaub
And you can automate this depending on different triggers, like if the machine boots, if somebody logs on, if a specific calendar trigger fires, like every Monday on 5 p.m., you should run this script and what you can do or what essentially happens if you, as an admin, decide to create a schedule task and to make it available with a log on type called password.

00:04:03:04 - 00:04:27:20
Robin Unglaub
So essentially get a prompt where you enter your credentials or the credentials of the user that the task should run as. And these get stored in on the system on disk. And whenever like the trigger fires, these credentials are encrypted via or encrypted on disk and whenever the task the task trigger files these credentials are decrypted, the task is run, and then everything goes back to normal.

00:04:27:22 - 00:04:42:18
Robin Unglaub
And for for us as attackers, this is like a primary target because credentials are is sitting there on disk. If it's not particularly hardened with features like road record, for example, it's just relatively easy for us to pick them.

00:04:42:20 - 00:04:51:20
Justin Kohler
Aside from the password itself, like can the schedule, can you hijack the the session or the token or anything that's created by the scheduled task, or is it just the password you're looking for?

00:04:51:21 - 00:05:21:07
Robin Unglaub
No, no. Yes. Because like the authentication. Oh, sorry. Keep on because because the session that gets created or the authentication mechanism is actually different from the task itself. So what you can do as an attacker, instead of just like ripping everything from the poppy on disk, is you can alter the task that's getting executed by altering, like the XML definition on disk or by hijacking the script, for example, that gets executed.

00:05:21:07 - 00:05:26:09
Robin Unglaub
Anything that's right for you, you could you can essentially hijack.

00:05:26:11 - 00:05:33:11
Justin Kohler
And how common are these? Do you find these like every engagements 50% of the time, 70% of the time?

00:05:33:13 - 00:06:09:02
Robin Unglaub
It was actually shocking. Like the numbers seemed to increase once taskhound got released because we got an easy way of checking. But ever since I tried evaluating this, I have yet to find a single engagement where this has not been an issue. Like sometimes it's it's a bit more, sometimes it's a bit less. But I have yet to encounter a single engagement where we didn't find scheduled task with stored credentials, which is not a bad thing in itself like it's intended functionality, but with breaking security boundaries where you definitely shouldn't.

00:06:09:04 - 00:06:30:00
Jared Atkinson
Can you? Can you maybe describe what the what the attack side of this looks like? Are you taking advantage? I know, I know, people have used scheduled tasks, for instance, for lateral movement, but that's more about like my my perspective at least, is that that's more about creating a scheduled task to execute your code as whatever user you are, and just get Codex on the remote endpoint.

00:06:30:00 - 00:06:43:10
Jared Atkinson
This is more about you, I assume you already have. You already have Codex on the on the endpoint, and now you're just trying to take over some alternative user account or some alternative identity. Is that an accurate representation or maybe walk us through.

00:06:43:10 - 00:07:12:03
Robin Unglaub
That also also also for lateral movement like the primary reason for for me initially was I wanted to make it easier to identify high value targets for lateral movement where where I want to have codex or where I need codex. Like the initial idea of task was like a single protocol stack that just uses SMB for plain file read like connect to this C, grab all the task definitions, see if there's high value targets, and mark them.

00:07:12:04 - 00:07:18:06
Robin Unglaub
Okay, so this is a dev server. It's running a task as a zero admin. That's your next target.

00:07:18:08 - 00:07:39:23
Jared Atkinson
Yeah. So okay so this reminds me of Will. Will Schroeder had a presentation like in 2014. That was I hunt sysadmins and this was all about how he used like power view to be able to figure out where admins were logged in throughout your environment, and then you would find a path to get to that system, and then you would be able to take over the domain admin, for instance.

00:07:40:02 - 00:07:55:23
Jared Atkinson
This seems like and that was that was highly predicated on sessions being established. Right? So we could enumerate sessions remotely and say this user is logged on on this computer. Therefore I want to and I want to become that user. Therefore, I'm going to go and target that computer to try to take it over and steal that users identity.

00:07:56:00 - 00:08:14:18
Jared Atkinson
Maybe steal the token, dump their credentials, whatever, whatever it may be. This sounds like an alternative approach to figuring out, hey, there's not a session established necessarily, or there may or may not be, but you could evaluate that those credentials are available on that computer. Is that that sounds like kind of what you're describing. Yeah.

00:08:14:20 - 00:08:15:23
Robin Unglaub
Perfectly.

00:08:16:00 - 00:08:46:23
Jared Atkinson
Okay. And then for actually you mentioned that they're encrypted and you mentioned Depop the data protection API. Right. So is it are these credentials. The credentials are encrypted with data Protection API. And so you you can remotely enumerate what the tasks are, the scheduled tasks, what credentials are associated with them. But then you have to actually go to the computer dump whatever the keys are I guess, in order to decrypt the credentials to steal them.

00:08:47:00 - 00:08:47:23
Jared Atkinson
Is that. Yeah.

00:08:48:01 - 00:09:18:10
Robin Unglaub
Yeah. That's like another reason why taskhound was was developed because other than that are essentially everything except for the DPI API system. Master key is a file on disk. If you have access to the registry backups on disk, you can also copy those. But this would involve like something the underlay copy or another approach. So essentially almost everything can be pulled from disk.

00:09:18:10 - 00:09:36:17
Robin Unglaub
But if you want to have the decryption key, you would then have to step into territory where you get louder. So you need to pull the system API key to be able to decrypt these DPI encrypted credentials.

00:09:36:19 - 00:09:47:12
Jared Atkinson
And the the prerequisite to pulling that system API key is that you become system on the computer. Is that I don't know. That's a that's more of a question than a statement I would guess.

00:09:47:13 - 00:10:11:14
Robin Unglaub
Yeah. As you definitely need a local admin privileges even to if the, if the system is properly configured or even in default state, you cannot even read task definitions like if you are a low privileged user on a system, or if somebody shared the entire C drive, which just happens sometimes you cannot even read task definition. So it's all on the premise that you are already an established.

00:10:11:14 - 00:10:20:19
Robin Unglaub
For example, tier one admin via some other attack path, and so local admin at least.

00:10:20:21 - 00:10:40:03
Justin Kohler
Well, I'm actually I'm super eager to to to see it I guess. Why did you why did you. So you mentioned like it was born out of necessity and you I'm guessing were a familiar user of BloodHound previous to this. Right. So what were you thinking when you were like, if we could see this in BloodHound, here's the thing that we could visualize.

00:10:40:04 - 00:10:45:10
Justin Kohler
Like, did you have that idea in mind when you went to go build it into Open Graph?

00:10:45:12 - 00:11:10:23
Robin Unglaub
No, actually not like the everything happened sort of in parallel. Like I started developing taskhound. I think it was in late of August or early September last year. And as soon as, like the first prototype of task was released internally for, for for company use, somebody like showed me a tweet and was like, isn't this what you always dreamed about or what you always talked about?

00:11:10:23 - 00:11:32:00
Robin Unglaub
And he showed me open graph and I was like, this is it. That's all I want because I always like I think I said it in the in the so-con talk as well. Like the only thing that always kept me from doing so much more with BloodHound than was initially possible at the time, was to like so many ideas.

00:11:32:02 - 00:11:51:16
Robin Unglaub
What if we ingest this? What if we could map this? But it always like, okay, now we need a custom fork. Now we need to alter the model. Okay? Now everything breaks. How can we show it to the customer without them having to jump through the same hoops that as we did? And yeah, so I think it was pretty early in development.

00:11:51:17 - 00:12:01:16
Robin Unglaub
Like when Taskhound officially got released, it was like the first major or the second major update that already got open graph interpretation.

00:12:01:18 - 00:12:10:17
Justin Kohler
Yeah. So then, I mean, I'm super eager to see it. So like you, you get it in there. And can you guys can you just take us through a tour of it? Yeah.

00:12:10:18 - 00:12:13:05
Robin Unglaub
Sure, sure.

00:12:13:07 - 00:12:31:08
Jared Atkinson
And for those that are listening, we know we have a video that you could watch if you want to check out specifically what Robin is showing, but we'll Justin and I will do our best to kind of like, help to narrate what we're seeing as as layman, as as Robin is kind of different. We won't go down too far down the rabbit hole.

00:12:31:10 - 00:12:43:14
Robin Unglaub
Let's let's pray the demo gods are on our side today. Screen shows there. Let me maximize the screen. Is that working?

00:12:43:16 - 00:12:45:12
Jared Atkinson
Yep, it is.

00:12:45:14 - 00:13:06:03
Robin Unglaub
One login also works. So essentially the first thing that you do is to run a giant taskhound command. Let me just pull the alias up so you can actually see what's happening behind the scenes. So.

00:13:06:05 - 00:13:35:15
Robin Unglaub
You essentially activate like a standard Python virtual environment. Specify the task module or you, you install it like as you would any other Python application. Then you specify your main authentication credentials, which in this case is my Ludus lab. Then you specify your targets domain controller IP, and then a bunch of flags that essentially just like tell the tool to connect to block hound.

00:13:35:17 - 00:14:00:18
Robin Unglaub
Which URL to use. What are the credentials. You can also like the. Just specify the the plot on API key if you want to use the API and different output formats. For example, if you want like a plain standard out CCE file HTML report. Yeah, and let's just go ahead and run it. Cool.

00:14:00:20 - 00:14:06:17
Justin Kohler
So as it's running I notice you're using ludus like you use ludus a lot to build lab environments for testing.

00:14:06:18 - 00:14:14:20
Robin Unglaub
Yeah. Yeah, definitely. Ever since it got released, it's it's been a blessing, kind of cutting down on build time.

00:14:14:22 - 00:14:23:20
Justin Kohler
Our team our team definitely agrees with that. I like that there's a safety switch that's asking if you're an adult before you run Pascal. Yeah, yeah.

00:14:23:22 - 00:14:46:16
Robin Unglaub
This was actually also born out of necessity because at first, like the initial approach was to use it as a pure OpSec, not object safe but upset, cautious, offensive tool. But as more and more feedback, especially from from my own team, rolled in, I said it would. Wouldn't it be cool if we also grabbed like all the credential blobs?

00:14:46:16 - 00:15:18:20
Robin Unglaub
Wouldn't it be cool if we also did the decryption part? So the tool grew and the footprint got larger, and since it's essentially just impact in the back end, it does the same stuff that impact would do. And especially stuff like pulling the, the Lssah secrets from from remote machines, invokes or needs to to start the remote registry service, which is, yeah, OpSec unsafe to say the least.

00:15:18:21 - 00:15:48:20
Robin Unglaub
Sure, sure. This I think it was one not a friend, but like a customers admin who essentially made his own sock light up like a Christmas tree because he was eager to run task. And that's how this how this banner was born. Like, if you want to stay sneaky, either use the buff or use like these couple of switches that essentially disable all the noisy operations.

00:15:48:20 - 00:15:57:09
Robin Unglaub
You don't get full visibility then, but the. Sure, the chances of accidentally locking out users or machines is significantly reduced.

00:15:57:14 - 00:16:19:08
Jared Atkinson
I think that's that's a common that's a common kind of like dilemma that we have when we're building these, because obviously there's kind of the original BloodHound Open source Community Edition use cases. A lot is very red team oriented. And then the BloodHound Enterprise use case is very defender oriented. And like I think of Chris Thompson wrote config man bare Pig, which is a sccm collector.

00:16:19:08 - 00:16:44:01
Jared Atkinson
And somebody in the community had already used SCC impound, so he wanted to get creative. Creative? Yeah, he he originally wrote it for the red team use case. And one of the problems is, is that you can't assume that the red team has like full privileges over your SccM infrastructure. And so there's a bunch of like creative ways that he's using to kind of enumerate things and kind of an offset like conscious way, I guess you could say.

00:16:44:04 - 00:17:02:11
Jared Atkinson
But then he started converting it for kind of like the enterprise collector, what we call open hound. And he's like, this is actually way easier because I actually can just assume that you have everything that you need and that you're not concerned about OpSec, and you're doing this in a legitimate way. And he's like, the code is like a quarter of the size, because I don't have to do all these like alternative collection routes.

00:17:02:17 - 00:17:12:09
Jared Atkinson
And so there's there's kind of this constant back and forth of, you know, what use case are we trying to support, and how does that change the way that we we do the collection and things like that? Yeah.

00:17:12:11 - 00:17:42:05
Robin Unglaub
I would, I would imagine like I think I said it in the, in the Reddit AMA that we did like a couple of weeks ago. Like, I wouldn't even mind that if this would, this functionality would get built into Sharp hound, for example, like or in the enterprise collector like if you're having administrative privileges that's running sharp on and you can make interactive connections to each individual machine, like pulling the task definitions and a few credential blobs is not much to be added.

00:17:42:05 - 00:18:00:01
Justin Kohler
So for sure it makes sense to do it and all one fell swoop, right? Like a lot of people have asked us to build things into sharp, it is something that we're we're we're thinking about. So things like Qasem. Right. If we're already running in the environment, it's not the same. Like this is very the same. Right. We're hitting every host right.

00:18:00:01 - 00:18:22:16
Justin Kohler
For, for some of like the local admin and user session information people have asked us for, for stuff like SEC or SQL. It is something that we're looking at right now. We are focused pretty hard on the other open graph extensions and making those like as successful as we can. We'll definitely come back to sharpen. And what does sharpen look like in 6 to 12 months.

00:18:22:18 - 00:18:25:01
Justin Kohler
You know we'll we'll update you.

00:18:25:07 - 00:18:30:22
Robin Unglaub
So that will be nice. All right. Enough staring at the.

00:18:31:00 - 00:18:34:08
Jared Atkinson
Yeah we're all adults. Let's let's do the advisory.

00:18:34:08 - 00:18:49:02
Robin Unglaub
Let's get it started. So at first, especially in a lab environment, I always like to clear the cache. So we essentially just prune every entry there. There's a bunch of.

00:18:49:04 - 00:19:15:00
Robin Unglaub
Initial lookups against like the domain controller tries to resolve the players that like, it grabs the the domain admin, set all the default admin from BloodHound and tries to resolve it against Ldap. If that works, then okay, we can actually resolve build up, and then we grab either the specified target list. Or we can also like just pull out all targets automatically from the domain.

00:19:15:02 - 00:19:46:16
Robin Unglaub
And then we connect to each individual target. Grab all the task files sometimes. Don't worry that like this is this error. For example in the in the debug build is essentially just telling me okay, fine. Often because I was too lazy to actually create all the task files itself, but because it's referencing like a material collected attack which doesn't exist, but it doesn't have like the functionality.

00:19:46:18 - 00:20:16:08
Robin Unglaub
Then we're starting the remote registry service and all the targets, grabbing the API master and user keys, and then already get to resolving. And in the verbose output you can actually, like instantly see, like a brief overview of what was found on tasks or should be separated between like a normal task privilege task and to zero tasks and a bit of information about them like are they enabled?

00:20:16:10 - 00:20:37:10
Robin Unglaub
What is the run as value, the resolved identity if possible, like what's being executed? And is the credentials still valid based on heuristics? What was the return code of the task? And of course the password. If everything worked and this runs for a bit of time for until.

00:20:37:11 - 00:20:48:07
Justin Kohler
I mean, even even before BloodHound. Even before BloodHound, like visualizing it, you're getting a lot of really good information just in the, in the, in the output of like the run, which is kind of cool.

00:20:48:09 - 00:21:03:13
Robin Unglaub
This was like essentially happened before, like the open graph integration. If I started developing task count before after open Graph got a got released, I don't think I would have put it that this way.

00:21:03:15 - 00:21:30:03
Jared Atkinson
Oh, interesting. Okay. I think there's there's utility in having something like a collector that stands alone, but also has the ability to convert to, to BloodHound. Like there's definitely like a I think of some ADCs type collectors where there's some standalone tools that could get you. Yeah, a lot of the way they're on from the red team use case of like, how do I actually attack this?

00:21:30:05 - 00:21:47:00
Justin Kohler
More detail is often necessary for somebody who's trying to fix the problem. Yeah. Well, I think it's it or communicating like the the importance or the impact. Right. Like strictures worth a thousand words where like if you just see a bunch of, like, you know, text on screen, it's like I can kind of follow along.

00:21:47:00 - 00:22:06:22
Robin Unglaub
But I think it's especially the standard out to to console is fine if you have like ten or maybe 50 targets that you're scanning at a time, but especially like in larger environments where the scan alone takes like half an hour because it's 2000 assets or something like the the standard out gets pretty bad.

00:22:07:00 - 00:22:16:07
Justin Kohler
That's actually a really good question. What's the performance on this like how big of an environment have you run it in and how long did it take.

00:22:16:09 - 00:22:39:17
Robin Unglaub
So we have to split there because initially it it ran in my lab with like 5 or 6 machines. It was completely fine. It was working as designed and took like a minute or something. It was completely sequential and had to without the cache especially and without like async operations. It took like ten minutes and had to resolve the same seed like ten times for each task.

00:22:39:23 - 00:22:54:02
Robin Unglaub
And the moment I put this in the first corporate environment with what was like 500 hosts at the time, it took like or it would have taken multiple days to finish.

00:22:54:04 - 00:23:18:22
Jared Atkinson
We've all, hey, we've all been there, man. That's the I did I did GitHub right. And the first, the first environment that was real that I tried to run it against had 40,000 repositories. And let's just say I didn't know that people had 40,000 repositories. And I was doing things in the like the least efficient way possible. Essentially, it's a real quick way to learn how to make your code more efficient, I think.

00:23:19:00 - 00:23:46:18
Robin Unglaub
Yeah, yeah, it was it was like the first time I saw this, I was like, okay, this this cannot continue. I'm making a cut here. Okay? I need two things. I need async operations. Okay. This was actually done pretty easily with Python and threading. But then there was okay. Now if you have async ops, you definitely need some sort of cash because you don't want to resolve like the same side or the same set ten times.

00:23:46:18 - 00:24:12:10
Robin Unglaub
And then things just grew. Right now I think I haven't measured performance effectively, but no task has ever. If it's not erode out for some weird reason or you, you're hitting like resolution timeouts on every single lookup you're doing between 10 and 15 minutes max, including the upload to to BloodHound.

00:24:12:11 - 00:24:17:20
Justin Kohler
So once you run, run this and get the output. What's it look like in the UI?

00:24:17:22 - 00:24:47:07
Robin Unglaub
All right, there we go. Let me just grab this task. For example, all this custom query, which this is like the the most basic default query that you can do with the task on output, which essentially says take every computer node, use the hashtag with stored correct edge connected to the scheduled task node with the runs edge, and connect it to the user and return that path.

00:24:47:08 - 00:24:55:13
Robin Unglaub
And you'd essentially get all the tasks that are running as all the different users on the different machines.

00:24:55:15 - 00:25:19:18
Jared Atkinson
And right away I see an example to where the very bottom task. Yeah, there's a user that's a tier zero user. Yeah. And there are scheduled tasks that are running on a non tier zero computer. So this would be an example of like a tier zero violation. Right. So you found a way to escalate to tier zero via a path that's only visible through taskhound essentially.

00:25:19:22 - 00:25:23:03
Robin Unglaub
Yeah. Yeah. In the graph out.

00:25:23:05 - 00:25:39:17
Jared Atkinson
Yeah. Very cool. And and you're limiting the output. Is it true to say that all schedule tests are in the graph, or are you only looking for schedule tasks that have those stored credentials and kind of excluding everything else?

00:25:39:19 - 00:26:12:13
Robin Unglaub
Yes. So this is like distinguished by the, by the edge. So we have two edges, either haystack or hash task with stored creds, which essentially just is based on the log on type. If you see on the right side of the screen we are on type password. There are different log on types interactive token for example or S3 you these would get sorted into the task category because like the task exists and it could potentially be hijacked, for example, if the user logs on, but the credentials aren't stored on the system.

00:26:12:15 - 00:26:20:16
Robin Unglaub
So these would get created like with the task edge. And we would need to build a custom filter for them.

00:26:20:18 - 00:26:41:13
Jared Atkinson
And and I see the with the with the has has task with password or with the stored password. I see that the the password is in the entity panel here. So you're doing some resolution on the password or the decryption of the password on the task count collector side. Yes. And so and so the attack is like literally I already have the password.

00:26:41:13 - 00:26:48:20
Jared Atkinson
I don't actually have to necessarily perform any action. Besides besides like in addition to collection in order to take advantage of that. Yes.

00:26:48:21 - 00:27:09:03
Robin Unglaub
That this essentially depends on how loud you want to be. Like if you specify any object flags in the task on collection, like, don't, don't do any looting, don't do any collecting. Like I just want to have the task definitions. Then you don't get get that output, but by default it how do I.

00:27:09:06 - 00:27:14:00
Jared Atkinson
This is why we this is why we said we we're adults right. Because we wanted to get that. Okay.

00:27:14:01 - 00:27:44:09
Robin Unglaub
Yeah. And something I should note by default because this call it didn't cause false positives but but a few raised eyebrows in the in the demo right now, I specifically included the domain controller into the into the output. By default, the domain controller is filtered out because this is like the only place where I would expect real domain specific to zero to ask, except for maybe ADCs or some other 2 or 3 assets to be to be present.

00:27:44:11 - 00:27:50:23
Robin Unglaub
So by default, if you want to include the disease, that's an extra flag that you can set.

00:27:51:02 - 00:27:53:16
Justin Kohler
What's the other query you have there?

00:27:53:18 - 00:28:22:05
Robin Unglaub
The other query. This is something sort of a sneak peek into what's upcoming. Or if you want to check out the feature branch from from taskhound. And when doing the preparations for the so-con talk units from from specterops like in the last possible session, he said you're doing all the fancy stuff with scheduled tasks. Have you have you ever thought about doing this with with services?

00:28:22:07 - 00:29:01:22
Robin Unglaub
And I was like, stop planting ideas into my head. Yeah, because services behave much like schedule task, just that the credentials are stored in a different place, like they stored in the LSA directly. And if you are already doing like a pass over the schedule tasks and decrypting all the secrets that you need to do in a dump, you could specifically just dump like the one registry key to to get the deep API system key, but then you can also pull like just do a like normal LSA dump and perform like there's not even decryption there that needs to be performed essentially.

00:29:01:22 - 00:29:35:15
Robin Unglaub
So except for group managed service accounts, but this is a whole other page that I don't want to open right now. Yeah. So you can essentially, if you specify the services flag, it does a pass over all the identified targets in the environment and does a pass of what is what our custom services that are running on the system identifies these custom services and then tries to tries to pull credentials from them as well.

00:29:35:17 - 00:30:01:18
Jared Atkinson
A really cool thing that I, that I notice is it's, it's interesting because on the sharp hound side, we basically treat a computer as this like all encompassing thing. But what you're showing is that there's actually a graph that exists within the computer. So like we have a computer node. And then if imagine that you like zoom in into the computer node and there's this whole new graph that exists within the computer.

00:30:01:20 - 00:30:25:18
Jared Atkinson
It's interesting because previously we kind of hand wave that a little bit because the idea was if I have admin to a computer, then there are sufficient ways for me to become admin and then dump credentials for anybody that has logged in. But that doesn't mean that there's not additional information, additional credentials that are available to the computer that are not represented by, for instance, these these sessions.

00:30:25:18 - 00:30:44:00
Jared Atkinson
And so it's really cool to see how you are like adding that that granularity, right. That like a new level of granularity into into the graph to show, hey. The computer, there's more to a computer than just like who's logged into the computer. There's there's a bunch of different ways that credentials are being exposed, and it's deterministic in the way that you can enumerate those.

00:30:44:01 - 00:30:54:18
Jared Atkinson
Right. And so you can you can go in and enumerate them and show what are all the different opportunities for credential theft or, or takeover of an identity.

00:30:54:20 - 00:31:26:04
Robin Unglaub
Thank you. This is always something or was always something that I tried to tell or juniors as well, or even like back in my in my sister admin days, every machine in the network serves a purpose, like nobody just installs a server and then it doesn't do anything. So what I always tried, especially also in engagements or team operations, is what purpose does this machine serve and is everything set up the way it should be set up?

00:31:26:05 - 00:31:47:10
Robin Unglaub
Like is this a development workstation? What tools are installed there? What services are running there? Is everything consistent in the way that it should have been set up? Or is there like any, any service schedule, task or whatever that shouldn't be long on that system, like to to to look for anomalies there.

00:31:47:12 - 00:32:05:06
Justin Kohler
It's, it gets to, to start to, to kind of wrap up what was was there any was there any like as you were doing this in BloodHound, was there something that stuck out or useful in a, in an actual assessment that you're like, wow, if I didn't have the ability to visualize this, I don't know if I would have found it.

00:32:05:08 - 00:32:21:14
Justin Kohler
Is there something that was uniquely helpful about seeing it in BloodHound that you found after you did it right? You obviously had a vision. I guess what I'm asking is, when did that vision seem like it worked?

00:32:21:16 - 00:32:50:10
Robin Unglaub
From the operational perspective, as soon as it got easier to find an answer to the question or the customer's question, was it all of them? As soon as we could answer this question, like not 100% definitively, because there's still some some drawbacks, like if a machine isn't online, you can accrue for tasks, but you could you could give a good estimate now without having to put in tons of effort into answering the question.

00:32:50:11 - 00:33:17:16
Robin Unglaub
And what especially helped was that for the customer, we were able to visualize the things because there's a difference between you're handing them CSV file with a bunch of data in it, and okay, there's maybe a resolved identity. Net bias domain name, backslash username, but you cannot think or you cannot visualize it properly if you can show them like an attack path.

00:33:17:17 - 00:33:52:04
Robin Unglaub
Okay, we were a this user who was by some chance local admin on this machine. And on this machine was a task running as a teaser user. And then you have access to all these assets. If you can place it in a graph and show it to the customer, that's that was like a huge benefit. And also the second thing where it became really clear was in the in the search of the the source of schedule task, because they are created for a reason.

00:33:52:05 - 00:34:30:13
Robin Unglaub
And in one particular instance, there didn't seem to be like to be a specific reason on after like days of search, we couldn't find a definitive answer, and then we pulled it into BloodHound again, and then essentially ran the same query like this one. All scheduled tasks with stored credentials. And it showed like this was all originating from one computer, or every single computer was connected to the same scheduled task running as the same user, which pointed us or then pointed us into the direction.

00:34:30:15 - 00:34:53:00
Robin Unglaub
Maybe the golden image that's used to spawn all of these servers, like the template. Maybe that's already poisoned. And so they kicked off the the templating again spawned a new server, and lo and behold, the task was there. So every single machine that was spawned based off that template was already poisoned.

00:34:53:01 - 00:34:57:05
Justin Kohler
Wow, that's really cool. That's cool.

00:34:57:07 - 00:35:19:21
Justin Kohler
So, so as a, like a somebody who's watching this or hearing this, maybe wanted to dig into scheduled tasks before maybe has and struggled, I guess, how could they get started? Like what would you recommend. So you could you just run it, run it in the environment so people want to get started with scheduled task, you know, obviously follow the prompts and be an adult.

00:35:19:21 - 00:35:36:00
Justin Kohler
But but you have a lab environment that you created. You recommend people kind of do this and see how it performs. Do you do you offer? I don't actually don't know. The do you offer your lab for as an open source thing for people to interact with?

00:35:36:01 - 00:36:14:12
Robin Unglaub
There's a there's actually not much to it. Like you can just spin up the normal ad ludus lab and that's actually a good idea. Like for testing, I could just send out the PowerShell scripts that are used to create scheduled tasks. But to get started, essentially all you need is a windows machine and like 2 or 3 manually created schedule tasks like with different users and different clicks in the guy like saved credentials doesn't save good angels, etc. and if you have a dedicated testing environment like if you're a enterprise customer or something, you have a dedicated testing environment for for new features or so I would test it there.

00:36:14:14 - 00:36:35:17
Robin Unglaub
Definitely. And notify the SoC beforehand. Yeah, but other than that it's there's there's actually not much to it. You have to read an entire Encyclopedia to understand the command lines, which is which I'm aware of and trying to fix in the future. But other than that, you can you can get started straight away.

00:36:35:19 - 00:36:44:23
Justin Kohler
Is there anything else that you wanted to hit on that we missed on Task Hound or BloodHound or working with Open Graph or or passing XML? Yeah. Parsing XML.

00:36:45:00 - 00:36:47:00
Robin Unglaub
Yeah. Let's let's do a deep dive.

00:36:47:00 - 00:37:11:18
Robin Unglaub
Into parsing XML. No. But actually actually not not really. Most of it already has been written in the blog or in the, in the Sokol talk. If there's anything, any, any question or so, feel free to like, write me on discord, LinkedIn, whatever. I have seen enough schedule tasks for the next 5 to 6 years.

00:37:11:18 - 00:37:35:09
Justin Kohler
So yeah, you're the world renowned expert on scheduled tasks at this point, I think. And Robin's also in our open graph channel in BloodHound. Pretty active there. So you can find him there as well. If you're more interested in this topic. Robin did an awesome talk at our conference So-Con that we just did about two weeks ago. Those talks will be available very shortly here.

00:37:35:15 - 00:37:52:20
Justin Kohler
And then he also did a really comprehensive blog post. So tons of material if you want to start digging in. And then the the the library task count is also available for use. And we'll try to get those resources kind of put into the description of, of this podcast so that if you're listening, you could check those out and have easy access.

00:37:52:21 - 00:38:18:12
Justin Kohler
Absolutely. Well, Robin, we can't thank you enough. I mean, this is a super cool presentation. I know, I know, people internally were like, when we saw this come out, we were like, oh, this is awesome. Because it's just like, these are these are landmines, right, that are buried within the network. And so we know we can run across them, but visualizing them and being able to do something about it at scale is like super impactful for your customer.

00:38:18:12 - 00:38:24:02
Justin Kohler
So it was awesome to see. And thank you very much for joining us. Yeah, thank you for your time.

00:38:24:03 - 00:38:26:16
Robin Unglaub
Thank you, thank you. Any time.