• Stars
    star
    187
  • Rank 206,464 (Top 5 %)
  • Language
    PowerShell
  • License
    Apache License 2.0
  • Created almost 3 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Run application as system with interactive system process support (active Windows session)

PowerRunAsSystem

Run application as system with interactive system process support (active Windows session)

This technique doesn't rely on any external tools and doesn't require a Microsoft Service.

It spawns an NT Authority/System process using the Microsoft Windows Task Scheduler then upgrade to Interactive System Process using cool WinApi's (Run in Active Windows Session)

demo


Install

You can install this module very easily using PowerShell Gallery:

Install-Module -Name PowerRunAsSystem

You might need to execute bellow command to allow unsigned script to be executed:

Set-ExecutionPolicy -ExecutionPolicy Unrestricted

If you don't want to use PowerShell Gallery, you can install and import this module manually and/or use it as script.

Usage

āš ļø All commands requires Administrator Privilege.

Invoke-SystemCommand

Invoke-SystemCommand -Execute "powershell.exe" -Argument "whoami \| Out-File C:\result.txt"

Create a new process (default: powershell.exe) running under the context of NT AUTHORITY/SYSTEM in Microsoft Windows session id 0

āš ļø Notice: Session id 0 is not directly accessible through your active desktop, any process running under another session than the active one wont be visible. If you want to spawn a new SYSTEM process under active session, use Invoke-InteractiveSystemPowerShell command instead.

āš™ļø Supported Options:
Parameter Type Default Description
Execute String powershell.exe Program to execute as SYSTEM (Session 0)
Argument String -Command "whoami | Out-File C:\result.txt" Optional argument to run with program

āš ļø You cannot run this function if current thread is impersonating another user. Use Invoke-RevertToSelf first.


Invoke-InteractiveSystemPowerShell

Invoke-InteractiveSystemPowerShell

Create a new PowerShell instance running under the context of NT AUTHORITY/SYSTEM and visible on your desktop (active session)

āš ļø You cannot run this function if current thread is impersonating another user. Use Invoke-RevertToSelf first.

Invoke-ImpersonateSystem

Invoke-ImpersonateSystem

Impersonate SYSTEM User on current thread (current PowerShell thread) using ImpersonateNamedPipeClient technique.

After impersonating user, you can use Invoke-ImpersonatedProcess to spawn an interactive process as SYSTEM.

Invoke-ImpersonatedProcess

Invoke-ImpersonatedProcess

Create a new PowerShell instance running under the context of NT AUTHORITY/SYSTEM and visible on your desktop (active session)

āš™ļø Supported Options:
Parameter Type Default Description
CommandLine String powershell.exe Program to execute as SYSTEM (Active Session)

Invoke-RevertToSelf

Invoke-RevertToSelf

Stop impersonating user.

āš ļø You cannot run this function if you are not currently impersonating a user. Use Invoke-ImpersonateSystem first.

Future Ideas

  • Redirect Stdin and Stdout/Stderr to caller (Administrator <--> System).

More Repositories

1

PowerRemoteDesktop

Remote Desktop entirely coded in PowerShell.
PowerShell
1,906
star
2

win-brute-logon

Crack any Microsoft Windows users password without any privilege (Guest account included)
Pascal
992
star
3

SubSeven

SubSeven Legacy Official Source Code Repository
Pascal
525
star
4

PsyloDbg

User-friendly Microsoft Windows Debugger for Malware Analysts.
Pascal
168
star
5

PowerBruteLogon

PowerBruteLogon (Ported version of WinBruteLogon in pure PowerShell)
PowerShell
105
star
6

PowerRunAsAttached

This script allows to spawn a new interactive console as another user account in the same calling console (console instance/window).
PowerShell
82
star
7

run-as-attached-networked

RunAsAttached is a program to run a console as another user and keep new console attached to caller console. Support reverse shell mode (Ex: Netcat)
Pascal
69
star
8

DLest

Pascal
67
star
9

inno-shellcode-example

Run shellcode through InnoSetup code engine.
Inno Setup
64
star
10

SharpShellPipe

This lightweight C# demo application showcases interactive remote shell access via named pipes and the SMB protocol.
C#
59
star
11

PowerAssembly

Map remote .NET assemblies to memory for further invocation.
PowerShell
36
star
12

RunAsAttached

RunAsAttached is a program to locally run a new terminal as another user without spawning a new console window.
Pascal
36
star
13

run-as

Simple RunAs program for Windows.
Pascal
32
star
14

PowerRemoteDesktop_LogonUI

WinLogon I/O (LogonUI) Plugin for PowerRemoteDesktop
C#
25
star
15

pe-code-cave-helper

PE File Code Cave Helper (Backdooring and/or Basic Section Obfuscation)
Python
18
star
16

ADS-Revealer

Pascal
17
star
17

dll-export-list

Pascal
16
star
18

nasm-shell-pp

Uses NASM Shell Tool from Metasploit to friendly export Python / C / CPP shellcode from assembly instructions.
Python
16
star
19

execute-shellcode-pgext

Postgres Extension to Execute Shellcodes
C
15
star
20

Sub7Fun

Pascal
11
star
21

peof-detector

Little project that use my tiny library to handle PE File EOF Data.
Pascal
11
star
22

slae32-crypters

SLAE32 Assignment NĀ°7 - Crypters
Pascal
11
star
23

eof-reader

C++/ CLI implementation of my read EOF Data from PE File lib.
C++
10
star
24

freepbx-shell-admin-module

FreePBX PHP Web Shell Admin Module
PHP
10
star
25

slae32-xor-encoder

Shellcode Encoder using XOR. Supports bad characters.
Python
10
star
26

YASE-Encoder

Yet Another Sub Encoder (YASE)
Python
10
star
27

darkcodersc

9
star
28

slae32-reverse-shell

SLAE32 Certification Assignment 2
Python
8
star
29

peb-update-debug-flag

Alter the debug flag, using PEB.
Pascal
7
star
30

Snippets

Repository that will progressively hold tiny projects and code snippets.
Pascal
7
star
31

tcp-bindshell-shellcode-slae32

TCP Bindshell Shellcode + Builder (SLAE32 Certification Exam)
Assembly
7
star
32

slae32-polymophism

SLAE32 Assignment NĀ°6 - Create up to three polymorphic version of shellcodes.
Assembly
6
star
33

slae32-egghunters

SLAE32 Assignment 3 : Egg Hunters
C
5
star
34

darkcodersc.github.io

HTML
3
star