Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

Overview

This module will start a process as another user using powershell. By default, it will start an interactive cmd as the target user.

Options

• USER - The use to run the program as.

• PASS - The user's password

• DOMAIN - The domain of the user

• EXE - The program to run (default cmd.exe)

• ARGS - The program arguments

• PATH - The path to run the program in (default C:\)

• CHANNELIZE - Channelize the output, required to read output or interact

• INTERACT - Interact with program

• HIDDEN - Hide the console window

Module Process

The process will use the Start-Process command of powershell to run a process as another user.

Limitations

• Requires Powershell

• Hidden Mode does not work with older powershell versions

• Interactive mode needs to be run from a meterpreter console

• Certain SYSTEM Services cannot run Start-Process with the -credential switch, causing the module to fail

• SYSTEM processes without I/O pipes cannot use interactive mode

Examples

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > run post/windows/manage/run_as_psh user=test pass=mypassword

[*] Hidden mode may not work on older powershell versions, if it fails, try HIDDEN=false
[*] Process 1672 created.
[*] Channel 30 created.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\\>whoami
whoami
my-pc\test

C:\\>

meterpreter > run post/windows/manage/run_as_psh user=test pass=mypassword hidden=false channelize=false interactive=false exe=cmd path=C:\\\\windows args="/c start notepad"

[*] Process 9768 created.
meterpreter >