Need some Blue Team advice for a presentation I'm giving. As I understand it, Task Scheduler stores credentials via DPAPI, which AFIK is protected by a master key stored on disk, not LSA.
So, would I be correct in saying that newer protections such as LSA, Credential Guard, VBS, etc, would not prevent an attacker running as NT AUTHORITY\SYSTEM from dumping plaintext credentials from scheduled tasks?
And if so, what is the recommended best practice for securing scheduled tasks?
Marcus Hutchins :verified: /
npub1t5…338yv
2024-10-28 23:14:19
Author Public Key
npub1t5y3qpya5m4v4tv73yw447uglfsn7j44znv2d38m2xsrah4kpm0qt338yvPublished at
2024-10-28 23:14:19Event JSON
{
"id": "066b6b54e6c16d38bff2f41361b1f61e014bffb0ce46a82e45f18bb5c8448a7f",
"pubkey": "5d0910049da6eacaad9e891d5afb88fa613f4ab514d8a6c4fb51a03edeb60ede",
"created_at": 1730157259,
"kind": 1,
"tags": [
[
"proxy",
"https://infosec.exchange/users/malwaretech/statuses/113387586156162648",
"activitypub"
]
],
"content": "Need some Blue Team advice for a presentation I'm giving. As I understand it, Task Scheduler stores credentials via DPAPI, which AFIK is protected by a master key stored on disk, not LSA.\n\nSo, would I be correct in saying that newer protections such as LSA, Credential Guard, VBS, etc, would not prevent an attacker running as NT AUTHORITY\\SYSTEM from dumping plaintext credentials from scheduled tasks? \n\nAnd if so, what is the recommended best practice for securing scheduled tasks?",
"sig": "e7673b51430f9d222ec1ade7c6eb5d9c846d908ff7ebd055596150e8a39b0e1c6f2ff43e3011420a3344af62e7ad2fa6e65104310c86e7aa80a9e71156d71c22"
}