search
NetExec GithubNetexec Lab
githubEdit

Impersonate logged-on Users

Use Sessions from logged-on Users to execute arbitrary commands using schtask_as

circle-exclamation

You need at least local admin privilege on the remote target

The Module schtask_as can execute commands on behalf of other users which have sessions on the target, thanks to the contribution from @Defte_arrow-up-right.

hashtag
1. Enumerate logged-on users on your Target

There are two ways you can enumerate logged on users on a Windows machine:

  • --loggedon-user

nxc smb <ip> -u <localAdmin> -p <password> --loggedon-users

  • --qwinsta

nxc smb <ip> -u <localAdmin> -p <password> --qwinsta

Note that these two options do not output the same result at all. Indeed --loggedon-users returns the list of logged users as well as to which DC they connected to. The --qwinsta returns the windows interactive sessions that are running on the system. Having a loggedon users doesn't necessarly mean that you can impersonate it via schtask_as, indeed that module requires the user you are targetting to have a Windows interactive session. As such, if you really want to be sure you can impersonate someone with that module, run the --qwinsta option.

hashtag
2. Execute commands on behalf of other users

nxc smb <ip> -u <localAdmin> -p <password> -M schtask_as -o USER=<logged-on-user> CMD=<cmd-command>

hashtag
Module options:

Example:

Custom command to add a user to the domain admin group for easy copy&pasting:

Note that the BINARY option allows you specifying a local binary that will first be uploaded to the remote server, executed and cleared. This allows us not having to upload the binary and then run the module.

PreviousSteal Microsoft Teams CookiesNextChange User Password

Last updated

Was this helpful?