Windows 10
A Microsoft operating system that runs on personal computers and tablets.
12,010 questions
How do I emulate the extraction of cleartext passwords for the Scheduled Task LogonType password misconfigurations?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 91%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFL%3C/text%3E%3C/svg%3E)
FN LN
0
Reputation points
Microsoft Recommendation for configuration of Scheduled Task is "In the new task, if the Task Content: XML contains <LogonType>Password</LogonType> value, trigger an alert. In this case, the password for the account that will be used to run the scheduled task will be saved in Credential Manager in cleartext format, and can be extracted using Administrative privileges." (taken from https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698)
Anyone knows how to validate/emulate that such cleartext passwords can be potentially leaked to an admin account?
I have attempted the following:
- In a VM, create admin and normal users. Using the normal user account, create the scheduled task with LogonType Password and trigger the scheduled task. Login with the admin account, and access Credential Manager > Windows Credentials. Tried looking for cleartext passwords to no avail.
- In an Active Directory, create Domain Admin and Domain User accounts. Using the Domain User account, create the scheduled task with LogonType Password and trigger the scheduled task. Login with the admin account, and access Credential Manager > Windows Credentials. Tried looking for cleartext passwords to no avail.
Sign in to answer