When credentials are found (through dumping or cracking for instance), attackers try to use them to obtain access to new resources. Depending on the harvested credential material type, the impersonation can be done in different ways.

RunAs is a standard Windows command that allows to execute a program under a different user account. When stuffing an Active Directory account's password, the /netonly flag must be set to indicate the credentials are to be used for remote access only.

runas /netonly /user:$DOMAIN\$USER "powershell.exe"

Since the password cannot be supplied as an argument, the session must be interactive.

SharpLdapWhoami can then be used to make sure the user is correctly impersonated. A standard whoami command will only return the local user rights, not the users impersonated during remote operations (like LDAP queries to the DC).

.\SharpLdapWhoami.exe /method:kerberos /all

Last updated