Marcus Hutchins :verified: on Nostr: Need some Blue Team advice for a presentation I'm giving. As I understand it, Task ...
Need some Blue Team advice for a presentation I'm giving. As I understand it, Task Scheduler stores credentials via DPAPI, which AFIK is protected by a master key stored on disk, not LSA.
So, would I be correct in saying that newer protections such as LSA, Credential Guard, VBS, etc, would not prevent an attacker running as NT AUTHORITY\SYSTEM from dumping plaintext credentials from scheduled tasks?
And if so, what is the recommended best practice for securing scheduled tasks?
So, would I be correct in saying that newer protections such as LSA, Credential Guard, VBS, etc, would not prevent an attacker running as NT AUTHORITY\SYSTEM from dumping plaintext credentials from scheduled tasks?
And if so, what is the recommended best practice for securing scheduled tasks?