Run As Psh - Metasploit Framework

Overview

This module will start a process as another user using powershell. By default, it will start an interactive cmd as the target user.

Options

USER - The use to run the program as.
PASS - The user's password
DOMAIN - The domain of the user
EXE - The program to run (default cmd.exe)
ARGS - The program arguments
PATH - The path to run the program in (default C:\)
CHANNELIZE - Channelize the output, required to read output or interact
INTERACT - Interact with program
HIDDEN - Hide the console window

Module Process

The process will use the Start-Process command of powershell to run a process as another user.

Limitations

Requires Powershell
Hidden Mode does not work with older powershell versions
Interactive mode needs to be run from a meterpreter console
Certain SYSTEM Services cannot run Start-Process with the -credential switch, causing the module to fail
SYSTEM processes without I/O pipes cannot use interactive mode

Examples

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > run post/windows/manage/run_as_psh user=test pass=mypassword

[*] Hidden mode may not work on older powershell versions, if it fails, try HIDDEN=false
[*] Process 1672 created.
[*] Channel 30 created.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\\>whoami
whoami
my-pc\test

C:\\>

meterpreter > run post/windows/manage/run_as_psh user=test pass=mypassword hidden=false channelize=false interactive=false exe=cmd path=C:\\\\windows args="/c start notepad"

[*] Process 9768 created.
meterpreter >