$psloadedrunas = $null function Invoke-Runas { <# .SYNOPSIS Overview: if running as Standard user - Args MAX Length is 1024 characters using Advapi32::CreateProcessWithLogonW if running as SYSTEM user - Args MAX Length is 32k characters Advapi32::LogonUser, Advapi32::DuplicateTokenEx, CreateProcessAsUser Parameters: -User Specifiy username. -Password Specify password. -Domain Specify domain. Defaults to localhost if not specified. -Command Full path of the module to be executed. -Args Args to be executed, must start with a space, e.g. " /c calc.exe" Size can vary depending on the user .EXAMPLE Invoke-Runas -User Ted -Password Password1 -Domain MYDOMAIN -Command C:\Temp\Runme.exe .EXAMPLE Invoke-Runas -User Ted -Password Password1 -Domain MYDOMAIN -Command C:\Windows\system32\WindowsPowershell\v1.0\powershell.exe -Args " -exec bypass -e Tjsksdsadsa" .DESCRIPTION Author: Ben Turner (@benpturner) License: BSD 3-Clause #> param ( [Parameter(Mandatory = $True)] [string]$User, [Parameter(Mandatory = $True)] [string]$Password, [Parameter(Mandatory = $False)] [string]$Domain=".", [Parameter(Mandatory = $True)] [string]$Command, [Parameter(Mandatory = $False)] [string]$Args, [Parameter(Mandatory=$False)] [switch]$AddType ) if ($AddType.IsPresent) { echo "[+] Loading Assembly using AddType" echo "" Add-Type -TypeDefinition @" using System; using System.Diagnostics; using System.Runtime.InteropServices; using System.Security.Principal; [StructLayout(LayoutKind.Sequential)] public struct SECURITY_ATTRIBUTES { public Int32 Length; public IntPtr lpSecurityDescriptor; public bool bInheritHandle; } public enum SECURITY_IMPERSONATION_LEVEL { SecurityAnonymous, SecurityIdentification, SecurityImpersonation, SecurityDelegation } [StructLayout(LayoutKind.Sequential)] public struct PROCESS_INFORMATION { public IntPtr hProcess; public IntPtr hThread; public uint dwProcessId; public uint dwThreadId; } [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] public struct STARTUPINFO { public uint cb; public string lpReserved; public string lpDesktop; public string lpTitle; public uint dwX; public uint dwY; public uint dwXSize; public uint dwYSize; public uint dwXCountChars; public uint dwYCountChars; public uint dwFillAttribute; public uint dwFlags; public short wShowWindow; public short cbReserved2; public IntPtr lpReserved2; public IntPtr hStdInput; public IntPtr hStdOutput; public IntPtr hStdError; } public class AdjPriv { [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)] internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall, ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen); [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)] internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok); [DllImport("advapi32.dll", SetLastError = true)] internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid); [StructLayout(LayoutKind.Sequential, Pack = 1)] internal struct TokPriv1Luid { public int Count; public long Luid; public int Attr; } internal const int SE_PRIVILEGE_ENABLED = 0x00000002; internal const int SE_PRIVILEGE_DISABLED = 0x00000000; internal const int TOKEN_QUERY = 0x00000008; internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020; public static bool EnablePrivilege(long processHandle, string privilege, bool disable) { bool retVal; TokPriv1Luid tp; IntPtr hproc = new IntPtr(processHandle); IntPtr htok = IntPtr.Zero; retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok); tp.Count = 1; tp.Luid = 0; if(disable) { tp.Attr = SE_PRIVILEGE_DISABLED; } else { tp.Attr = SE_PRIVILEGE_ENABLED; } retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid); retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero); return retVal; } } public static class Advapi32 { [DllImport("advapi32.dll", CharSet=CharSet.Auto)] public extern static bool DuplicateTokenEx( IntPtr hExistingToken, uint dwDesiredAccess, ref SECURITY_ATTRIBUTES lpTokenAttributes, int ImpersonationLevel, int TokenType, ref IntPtr phNewToken); [DllImport("advapi32.dll", SetLastError = true)] public static extern bool LogonUser( string pszUsername, string pszDomain, string pszPassword, int dwLogonType, int dwLogonProvider, ref IntPtr phToken); [DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Ansi, CallingConvention = CallingConvention.StdCall)] public static extern bool CreateProcessAsUser( IntPtr hToken, string lpApplicationName, string lpCommandLine, ref SECURITY_ATTRIBUTES lpProcessAttributes, ref SECURITY_ATTRIBUTES lpThreadAttributes, bool bInheritHandle, Int32 dwCreationFlags, IntPtr lpEnvrionment, string lpCurrentDirectory, ref STARTUPINFO lpStartupInfo, ref PROCESS_INFORMATION lpProcessInformation); [DllImport("advapi32.dll", SetLastError=true, CharSet=CharSet.Unicode)] public static extern bool CreateProcessWithLogonW( String userName, String domain, String password, int logonFlags, String applicationName, String commandLine, int creationFlags, int environment, String currentDirectory, ref STARTUPINFO startupInfo, out PROCESS_INFORMATION processInformation); } public static class Kernel32 { [DllImport("kernel32.dll")] public static extern uint GetLastError(); } "@ } else { if ($psloadedrunas -ne "TRUE") { $script:psloadedrunas = "TRUE" echo "[+] Loading Assembly using System.Reflection" echo "" $ps = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAF/FYFoAAAAAAAAAAOAAIiALATAAABIAAAAGAAAAAAAAcjAAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAACAwAABPAAAAAEAAAGgDAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAADoLgAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAeBAAAAAgAAAAEgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAGgDAAAAQAAAAAQAAAAUAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAGAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAABUMAAAAAAAAEgAAAACAAUAxCAAACQOAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABMwBgBgAAAAAQAAEQJzDgAACn4PAAAKCx8oEgEoAgAABiYSABd9IwAABBIAFmp9JAAABAQsChIAFn0lAAAEKwgSABh9JQAABBQDEgB8JAAABCgDAAAGJgcWEgAWfg8AAAp+DwAACigBAAAGKh4CKBAAAAoqQlNKQgEAAQAAAAAADAAAAHYyLjAuNTA3MjcAAAAABQBsAAAAOAUAACN+AACkBQAACAcAACNTdHJpbmdzAAAAAKwMAAAEAAAAI1VTALAMAAAQAAAAI0dVSUQAAADADAAAZAEAACNCbG9iAAAAAAAAAAIAAAFXnQIUCQIAAAD6ATMAFgAAAQAAABIAAAAJAAAAJQAAAAoAAAAxAAAAEAAAAAgAAAANAAAAAQAAAAEAAAACAAAACAAAAAEAAAABAAAAAQAAAAAA2AMBAAAAAAAGAOcCewUGAFQDewUGACQCSQUPAJsFAAAGAEwCogQGAMoCogQGAKsCogQGADsDogQGAAcDogQGACADogQGAGMCogQGADgCXAUGABYCXAUGAI4CogQGAPYB5AMGAOsD5AMGAHEG5AMGAD0F5AMAAAAAKwAAAAAAAQABAAkBEAC0AAAAPQABAAEAAQEAAF8AAABBAAQAAQAJARAAfAAAAD0ACQABAAkBEQCQAAAAPQANAAEAAQAQAL0GAABFAB8AAQCBARAAAQAAAEUAIwAGAIEBEAAKAAAARQAjAAoADQEQADYBAAA9ACMACwAGAJcDTwAGACgFJQAGAI4BUgAGBvQATwBWgF8GVQBWgDoEVQBWgIwEVQBWgFEEVQAGAFYGJQAGACMBJQAGABcBWQAGAAwBWQAGAPwAWQAGACsBXAAGANMEXAAGAJ0BXAAGAOAAWQAGAPAAWQAGAIcDWQAGAI8DWQAGACoGWQAGADgGWQAGAH4CWQAGACIGWQAGAMUGXwAGABMAXwAGAB8AJQAGAKMGJQAGAK0GJQAGAAsFJQBTgDQATwBTgEkATwBTgOQATwBTgJwATwAGAJIGTwAGAD4BYgAGAEQFTwAAAAAAgACTIKoFZQABAAAAAACAAJMgBwRxAAcAAAAAAIAAkyByA3kACgBQIAAAAACWAF4BgQANALwgAAAAAIYYIgUGABAAAAAAAIAAliDRBogAEAAAAAAAgACWIO0ElQAWAAAAAACAAJYg9wSgABwAAAAAAIAAliDIALcAJwAAAAAAgACWIBUFygAyAAAAAQCfAwAAAgC3AwAAAwCdBgAABAAlBAAABQC4BgAABgAjBAAAAQCcAwAAAgAIAQAAAwCeAwAAAQCYBgAAAgDXAQAAAwBDAQAAAQCAAQAAAgBuAQAAAwB4AQAAAQDwAwAAAgBGBgAAAwDTBQAABACkAwAABQAAAgAABgAYBAAAAQDQAQAAAgApBAAAAwBJAQAABAAKAgAABQDdBAAABgD/AwAAAQAABAAAAgClAQAAAwDcAQAABADlBQAABQDABQAABgCOAQAABwAEBgAACAB4BgAACQDiBgAACgC0BAAACwBkBAAAAQDHAQAAAgAzBAAAAwBVAQAABAD5BQAABQC3AQAABgDqAQAABwAUBgAACACGBgAACQD1BgAACgDCBAIACwB5BAkAIgUBABEAIgUGABkAIgUKACkAIgUQADEAIgUQADkAIgUQAEEAIgUQAEkAIgUQAFEAIgUQAFkAIgUQAGEAIgUVAGkAIgUQAHEAIgUQAJEAIgUgAJEAzgQlAIkAIgUGAAgAFAAxAAgAGAA2AAgAHAA7AAgAIABAAAgAfAA7AAgAgAAxAAgAhABFAAgAiABKAC4ACwDOAC4AEwDXAC4AGwD2AC4AIwD/AC4AKwAMAS4AMwAMAS4AOwAMAS4AQwD/AC4ASwASAS4AUwAMAS4AWwAMAS4AYwAqAS4AawBUAQEAAAAAAAkAGgC+A8sDQQEDAKoFAQBBAQUABwQBAEABBwByAwEABgENANEGAQBAAQ8A7QQBAEIDEQD3BAEARAETAMgAAQAAARUAFQUCAASAAAABAAAAAAAAAAAAAAAAAL0GAAACAAAAAAAAAAAAAAAoAP8AAAAAAAkABgAAAABBZHZhcGkzMgBLZXJuZWwzMgBjYlJlc2VydmVkMgBscFJlc2VydmVkMgA8TW9kdWxlPgBTRV9QUklWSUxFR0VfRU5BQkxFRABTRV9QUklWSUxFR0VfRElTQUJMRUQAU0VDVVJJVFlfSU1QRVJTT05BVElPTl9MRVZFTABQUk9DRVNTX0lORk9STUFUSU9OAFNUQVJUVVBJTkZPAFRPS0VOX0FESlVTVF9QUklWSUxFR0VTAFNFQ1VSSVRZX0FUVFJJQlVURVMAQ3JlYXRlUHJvY2Vzc1dpdGhMb2dvblcAZHdYAFRPS0VOX1FVRVJZAGR3WQB2YWx1ZV9fAGNiAG1zY29ybGliAGFjYwBkd1RocmVhZElkAGR3UHJvY2Vzc0lkAGhUaHJlYWQAbHBSZXNlcnZlZABUb2tQcml2MUx1aWQAcGx1aWQAcHN6UGFzc3dvcmQAcGFzc3dvcmQARW5hYmxlUHJpdmlsZWdlAHByaXZpbGVnZQBkaXNhYmxlAHByb2Nlc3NIYW5kbGUAYkluaGVyaXRIYW5kbGUAbHBUaXRsZQBscEFwcGxpY2F0aW9uTmFtZQBhcHBsaWNhdGlvbk5hbWUAdXNlck5hbWUAcHN6VXNlcm5hbWUAbHBDb21tYW5kTGluZQBjb21tYW5kTGluZQBWYWx1ZVR5cGUAVG9rZW5UeXBlAGR3TG9nb25UeXBlAEd1aWRBdHRyaWJ1dGUARGVidWdnYWJsZUF0dHJpYnV0ZQBDb21WaXNpYmxlQXR0cmlidXRlAEFzc2VtYmx5VGl0bGVBdHRyaWJ1dGUAQXNzZW1ibHlUcmFkZW1hcmtBdHRyaWJ1dGUAZHdGaWxsQXR0cmlidXRlAEFzc2VtYmx5RmlsZVZlcnNpb25BdHRyaWJ1dGUAQXNzZW1ibHlDb25maWd1cmF0aW9uQXR0cmlidXRlAEFzc2VtYmx5RGVzY3JpcHRpb25BdHRyaWJ1dGUAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dHJpYnV0ZQBBc3NlbWJseVByb2R1Y3RBdHRyaWJ1dGUAQXNzZW1ibHlDb3B5cmlnaHRBdHRyaWJ1dGUAQXNzZW1ibHlDb21wYW55QXR0cmlidXRlAFJ1bnRpbWVDb21wYXRpYmlsaXR5QXR0cmlidXRlAExvb2t1cFByaXZpbGVnZVZhbHVlAGR3WFNpemUAZHdZU2l6ZQBMZW5ndGgAcGh0b2sASW1wZXJzb25hdGlvbkxldmVsAGRpc2FsbABhZHZhcGkzMi5kbGwAa2VybmVsMzIuZGxsAEFkalByaXYuZGxsAFN5c3RlbQBFbnVtAGhFeGlzdGluZ1Rva2VuAHBoVG9rZW4AT3BlblByb2Nlc3NUb2tlbgBwaE5ld1Rva2VuAHJlbGVuAHBzekRvbWFpbgBkb21haW4AU2VjdXJpdHlJZGVudGlmaWNhdGlvbgBTZWN1cml0eURlbGVnYXRpb24AbHBQcm9jZXNzSW5mb3JtYXRpb24AcHJvY2Vzc0luZm9ybWF0aW9uAFNlY3VyaXR5SW1wZXJzb25hdGlvbgBTeXN0ZW0uUmVmbGVjdGlvbgBscFN0YXJ0dXBJbmZvAHN0YXJ0dXBJbmZvAFplcm8AbHBEZXNrdG9wAGR3TG9nb25Qcm92aWRlcgBMb2dvblVzZXIAQ3JlYXRlUHJvY2Vzc0FzVXNlcgBoU3RkRXJyb3IAR2V0TGFzdEVycm9yAC5jdG9yAGxwU2VjdXJpdHlEZXNjcmlwdG9yAEludFB0cgBBdHRyAFN5c3RlbS5EaWFnbm9zdGljcwBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBEZWJ1Z2dpbmdNb2RlcwBBZGp1c3RUb2tlblByaXZpbGVnZXMAbHBUaHJlYWRBdHRyaWJ1dGVzAGxwVG9rZW5BdHRyaWJ1dGVzAGxwUHJvY2Vzc0F0dHJpYnV0ZXMAbG9nb25GbGFncwBkd0NyZWF0aW9uRmxhZ3MAY3JlYXRpb25GbGFncwBkd0ZsYWdzAGR3WENvdW50Q2hhcnMAZHdZQ291bnRDaGFycwBkd0Rlc2lyZWRBY2Nlc3MAaFByb2Nlc3MAU2VjdXJpdHlBbm9ueW1vdXMAT2JqZWN0AGxwRW52cmlvbm1lbnQAZW52aXJvbm1lbnQAQ291bnQAaG9zdABuZXdzdABoU3RkSW5wdXQAaFN0ZE91dHB1dABwcmV2AEFkalByaXYAd1Nob3dXaW5kb3cARHVwbGljYXRlVG9rZW5FeABscEN1cnJlbnREaXJlY3RvcnkAY3VycmVudERpcmVjdG9yeQAAAAAAAACWZGjNb64yTZfnFNQeWEO1AAQgAQEIAyAAAQUgAQEREQQgAQEOBCABAQIFBwIRJBgEIAEBCgIGGAi3elxWGTTgiQQAAAAABAEAAAAEAgAAAAQDAAAABAgAAAAEIAAAAAIGCAIGAgMGEQwCBgkCBg4CBgYCBgoLAAYCGAIQESQIGBgHAAMCGAgQGAcAAwIODhAKBgADAgoOAgwABgIYCRARCAgIEBgKAAYCDg4OCAgQGBYACwIYDg4QEQgQEQgCCBgOEBEUEBEQEgALAg4ODggODggIDhARFBAREAMAAAkIAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBCAEAAgAAAAAADAEAB0FkalByaXYAAAUBAAAAABcBABJDb3B5cmlnaHQgwqkgIDIwMTgAACkBACRkMmYwMzc0OS0wODNiLTQ1NDctODM1MC0zOTcxZmRkMGVjNzMAAAwBAAcxLjAuMC4wAAAAAAAAAAAAX8VgWgAAAAACAAAAHAEAAAQvAAAEEQAAUlNEU50IyNt/egRPrTqvLNKC4xcBAAAAQzpcVXNlcnNcYWRtaW5cc291cmNlXHJlcG9zXEFkalByaXZcQWRqUHJpdlxvYmpcUmVsZWFzZVxBZGpQcml2LnBkYgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABIMAAAAAAAAAAAAABiMAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAVDAAAAAAAAAAAAAAAABfQ29yRGxsTWFpbgBtc2NvcmVlLmRsbAAAAAAA/yUAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAAADAAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAEgAAABYQAAADAMAAAAAAAAAAAAADAM0AAAAVgBTAF8AVgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAABAAAAAAAAAAEAAAAAAD8AAAAAAAAABAAAAAIAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBGwCAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbwAAAEgCAAABADAAMAAwADAAMAA0AGIAMAAAABoAAQABAEMAbwBtAG0AZQBuAHQAcwAAAAAAAAAiAAEAAQBDAG8AbQBwAGEAbgB5AE4AYQBtAGUAAAAAAAAAAAA4AAgAAQBGAGkAbABlAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAAAAAAQQBkAGoAUAByAGkAdgAAADAACAABAEYAaQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAAMQAuADAALgAwAC4AMAAAADgADAABAEkAbgB0AGUAcgBuAGEAbABOAGEAbQBlAAAAQQBkAGoAUAByAGkAdgAuAGQAbABsAAAASAASAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAQwBvAHAAeQByAGkAZwBoAHQAIACpACAAIAAyADAAMQA4AAAAKgABAAEATABlAGcAYQBsAFQAcgBhAGQAZQBtAGEAcgBrAHMAAAAAAAAAAABAAAwAAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAAQQBkAGoAUAByAGkAdgAuAGQAbABsAAAAMAAIAAEAUAByAG8AZAB1AGMAdABOAGEAbQBlAAAAAABBAGQAagBQAHIAaQB2AAAANAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAAAwAAAB0MAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=" $dllbytes = [System.Convert]::FromBase64String($ps) $assembly = [System.Reflection.Assembly]::Load($dllbytes) } } if (($env:username -eq "$($env:computername)$")) { echo "`n[>] User is `"NT Authority\SYSTEM`" so running LogonUser -> DuplicateTokenEx -> CreateProcessAsUser" # EnablePrivs from http://www.leeholmes.com/blog/2010/09/24/adjusting-token-privileges-in-powershell/ $processHandle = (Get-Process -id $pid).Handle [AdjPriv]::EnablePrivilege($processHandle, "SeAssignPrimaryTokenPrivilege", $Disable) $LogonTokenHandle = [IntPtr]::Zero echo "`n[>] Calling Advapi32::LogonUser" $CallResult1 = [Advapi32]::LogonUser($User, $Domain, $Password, 2, 0, [ref] $LogonTokenHandle) if (!$CallResult1) { echo "`n[!] Mmm, something went wrong! GetLastError returned:" echo "==> $((New-Object System.ComponentModel.Win32Exception([int][Kernel32]::GetLastError())).Message)`n" } else { echo "`n[+] Success, LogonTokenHandle: " echo $LogonTokenHandle } $SecImpersonation = New-Object SECURITY_IMPERSONATION_LEVEL $SECURITY_ATTRIBUTES = New-Object SECURITY_ATTRIBUTES $PrivLogonTokenHandle = [IntPtr]::Zero echo "`n[>] Calling Advapi32::DuplicateTokenEx" $CallResult2 = [Advapi32]::DuplicateTokenEx($LogonTokenHandle, 0x2000000, [ref] $SECURITY_ATTRIBUTES, 2, 1, [ref] $PrivLogonTokenHandle) if (!$CallResult2) { echo "`n[!] Mmm, something went wrong! GetLastError returned:" echo "==> $((New-Object System.ComponentModel.Win32Exception([int][Kernel32]::GetLastError())).Message)`n" } else { echo "`n[+] Success, PrivLogonTokenHandle:" echo $PrivLogonTokenHandle } # StartupInfo Struct $StartupInfo = New-Object STARTUPINFO $StartupInfo.cb = [System.Runtime.InteropServices.Marshal]::SizeOf($StartupInfo) $StartupInfo.dwFlags = 0x00000001 $StartupInfo.wShowWindow = 0x0001 # ProcessInfo Struct $ProcessInfo = New-Object PROCESS_INFORMATION $SecAttributes1 = New-Object SECURITY_ATTRIBUTES $SecAttributes2 = New-Object SECURITY_ATTRIBUTES $lpEnvrionment = [IntPtr]::Zero $CurrentDirectory = $Env:SystemRoot echo "`n[>] Calling Advapi32::CreateProcessAsUser" $CallResult3 = [Advapi32]::CreateProcessAsUser($PrivLogonTokenHandle, $command, $args, [ref] $SecAttributes1, [ref] $SecAttributes2, $false, 0, $lpEnvrionment, $CurrentDirectory, [ref]$StartupInfo, [ref]$ProcessInfo) if (!$CallResult3) { echo "`n[!] Mmm, something went wrong! GetLastError returned:" echo "==> $((New-Object System.ComponentModel.Win32Exception([int][Kernel32]::GetLastError())).Message)`n" } else { echo "`n[+] Success, process details:" Get-Process -Id $ProcessInfo.dwProcessId echo "`n[+] Please note, this process will have a primary token assigned but the user displayed will be SYSTEM" echo "`n[+] Run Invoke-TokenManipulation to see the Token loaded" } } else { cd $Env:SystemRoot echo "`n[>] User is `"$env:username`" so running CreateProcessWithLogonW" # Inspired from: https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-Runas.ps1 # StartupInfo Struct $StartupInfo = New-Object STARTUPINFO $StartupInfo.dwFlags = 0x00000001 $StartupInfo.wShowWindow = 0x0001 $StartupInfo.cb = [System.Runtime.InteropServices.Marshal]::SizeOf($StartupInfo) # ProcessInfo Struct $ProcessInfo = New-Object PROCESS_INFORMATION # CreateProcessWithLogonW --> lpCurrentDirectory $GetCurrentPath = (Get-Item -Path ".\" -Verbose).FullName echo "`n[>] Calling Advapi32::CreateProcessWithLogonW" $CallResult = [Advapi32]::CreateProcessWithLogonW( $User, $Domain, $Password, 0x1, $Command, $Args, 0x04000000, $null, $GetCurrentPath, [ref]$StartupInfo, [ref]$ProcessInfo) if (!$CallResult) { echo "`n[!] Mmm, something went wrong! GetLastError returned:" echo "==> $((New-Object System.ComponentModel.Win32Exception([int][Kernel32]::GetLastError())).Message)`n" } else { echo "`n[+] Success, process details:" Get-Process -Id $ProcessInfo.dwProcessId } } }