DarkCoderSc/PowerRunAsSystem DarkCoderSc/PowerRunAsSystem

  • Stars
    star
    187
  • Rank 199,943 (Top 5 %)
  • Language
    PowerShell
  • License
    Apache License 2.0
  • Created about 2 years ago
  • Updated 12 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
DarkCoderSc/PowerRunAsSystem
github

DarkCoderSc

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Run application as system with interactive system process support (active Windows session)

PowerRunAsSystem

Run application as system with interactive system process support (active Windows session)

This technique doesn't rely on any external tools and doesn't require a Microsoft Service.

It spawns an NT Authority/System process using the Microsoft Windows Task Scheduler then upgrade to Interactive System Process using cool WinApi's (Run in Active Windows Session)

demo

Install

You can install this module very easily using PowerShell Gallery:

Install-Module -Name PowerRunAsSystem

You might need to execute bellow command to allow unsigned script to be executed:

Set-ExecutionPolicy -ExecutionPolicy Unrestricted

If you don't want to use PowerShell Gallery, you can install and import this module manually and/or use it as script.

Usage

⚠️ All commands requires Administrator Privilege.

Invoke-SystemCommand

Invoke-SystemCommand -Execute "powershell.exe" -Argument "whoami \| Out-File C:\result.txt"

Create a new process (default: powershell.exe) running under the context of NT AUTHORITY/SYSTEM in Microsoft Windows session id 0

⚠️ Notice: Session id 0 is not directly accessible through your active desktop, any process running under another session than the active one wont be visible. If you want to spawn a new SYSTEM process under active session, use Invoke-InteractiveSystemPowerShell command instead.

⚙️ Supported Options:
Parameter Type Default Description
Execute String powershell.exe Program to execute as SYSTEM (Session 0)
Argument String -Command "whoami | Out-File C:\result.txt" Optional argument to run with program

⚠️ You cannot run this function if current thread is impersonating another user. Use Invoke-RevertToSelf first.

Invoke-InteractiveSystemPowerShell

Invoke-InteractiveSystemPowerShell

Create a new PowerShell instance running under the context of NT AUTHORITY/SYSTEM and visible on your desktop (active session)

⚠️ You cannot run this function if current thread is impersonating another user. Use Invoke-RevertToSelf first.

Invoke-ImpersonateSystem

Invoke-ImpersonateSystem

Impersonate SYSTEM User on current thread (current PowerShell thread) using ImpersonateNamedPipeClient technique.

After impersonating user, you can use Invoke-ImpersonatedProcess to spawn an interactive process as SYSTEM.

Invoke-ImpersonatedProcess

Invoke-ImpersonatedProcess

Create a new PowerShell instance running under the context of NT AUTHORITY/SYSTEM and visible on your desktop (active session)

⚙️ Supported Options:
Parameter Type Default Description
CommandLine String powershell.exe Program to execute as SYSTEM (Active Session)

Invoke-RevertToSelf

Invoke-RevertToSelf

Stop impersonating user.

⚠️ You cannot run this function if you are not currently impersonating a user. Use Invoke-ImpersonateSystem first.

Future Ideas

  • Redirect Stdin and Stdout/Stderr to caller (Administrator <--> System).

More Repositories

1

PowerRemoteDesktop

Remote Desktop entirely coded in PowerShell.
PowerShell
1,906
star
2

win-brute-logon

Crack any Microsoft Windows users password without any privilege (Guest account included)
Pascal
992
star
3

SubSeven

SubSeven Legacy Official Source Code Repository
Pascal
521
star
4

PsyloDbg

User-friendly Microsoft Windows Debugger for Malware Analysts.
Pascal
168
star
5

PowerBruteLogon

PowerBruteLogon (Ported version of WinBruteLogon in pure PowerShell)
PowerShell
105
star
6

PowerRunAsAttached

This script allows to spawn a new interactive console as another user account in the same calling console (console instance/window).
PowerShell
82
star
7

run-as-attached-networked

RunAsAttached is a program to run a console as another user and keep new console attached to caller console. Support reverse shell mode (Ex: Netcat)
Pascal
69
star
8

DLest

Pascal
67
star
9

inno-shellcode-example

Run shellcode through InnoSetup code engine.
Inno Setup
63
star
10

SharpShellPipe

This lightweight C# demo application showcases interactive remote shell access via named pipes and the SMB protocol.
C#
59
star
11

PowerAssembly

Map remote .NET assemblies to memory for further invocation.
PowerShell
36
star
12

RunAsAttached

RunAsAttached is a program to locally run a new terminal as another user without spawning a new console window.
Pascal
36
star
13

run-as

Simple RunAs program for Windows.
Pascal
31
star
14

PowerRemoteDesktop_LogonUI

WinLogon I/O (LogonUI) Plugin for PowerRemoteDesktop
C#
24
star
15

php-mysql-dump

Tiny script to dump the whole databases / tables in HTML format. (Support column names)
PHP
19
star
16

pe-code-cave-helper

PE File Code Cave Helper (Backdooring and/or Basic Section Obfuscation)
Python
18
star
17

ADS-Revealer

Pascal
17
star
18

dll-export-list

Pascal
16
star
19

nasm-shell-pp

Uses NASM Shell Tool from Metasploit to friendly export Python / C / CPP shellcode from assembly instructions.
Python
16
star
20

execute-shellcode-pgext

Postgres Extension to Execute Shellcodes
C
15
star
21

dcsc-php-shell

Tiny PHP Shell with only necessary things for CTF
PHP
14
star
22

Sub7Fun

Pascal
11
star
23

peof-detector

Little project that use my tiny library to handle PE File EOF Data.
Pascal
11
star
24

slae32-crypters

SLAE32 Assignment N°7 - Crypters
Pascal
11
star
25

eof-reader

C++/ CLI implementation of my read EOF Data from PE File lib.
C++
10
star
26

freepbx-shell-admin-module

FreePBX PHP Web Shell Admin Module
PHP
10
star
27

slae32-xor-encoder

Shellcode Encoder using XOR. Supports bad characters.
Python
10
star
28

YASE-Encoder

Yet Another Sub Encoder (YASE)
Python
10
star
29

dcsc-tiny-phpdropper

Python
10
star
30

darkcodersc

9
star
31

slae32-reverse-shell

SLAE32 Certification Assignment 2
Python
8
star
32

peb-update-debug-flag

Alter the debug flag, using PEB.
Pascal
7
star
33

Snippets

Repository that will progressively hold tiny projects and code snippets.
Pascal
7
star
34

tcp-bindshell-shellcode-slae32

TCP Bindshell Shellcode + Builder (SLAE32 Certification Exam)
Assembly
7
star
35

slae32-polymophism

SLAE32 Assignment N°6 - Create up to three polymorphic version of shellcodes.
Assembly
6
star
36

slae32-egghunters

SLAE32 Assignment 3 : Egg Hunters
C
5
star
37

darkcodersc.github.io

HTML
3
star