Last active
September 22, 2019 13:04
-
-
Save benpturner/62684919d65d8829fbe2bd29723dfdd5 to your computer and use it in GitHub Desktop.
RunAs-NetOnly
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Add-Type -TypeDefinition @" | |
| using System; | |
| using System.Runtime.InteropServices; | |
| using System.Security.Principal; | |
| public static class Advapi32 | |
| { | |
| [DllImport("advapi32.dll", SetLastError = true)] | |
| public static extern bool LogonUser(string pszUsername, string pszDomain, string pszPassword, int dwLogonType, int dwLogonProvider, ref IntPtr phToken); | |
| [DllImport("advapi32.dll", SetLastError=true)] | |
| public static extern bool ImpersonateLoggedOnUser(IntPtr hToken); | |
| } | |
| "@ | |
| $LogonTokenHandle = [IntPtr]::Zero | |
| [Advapi32]::LogonUser("user","domain","password",9,0,[ref]$LogonTokenHandle) | |
| [Advapi32]::ImpersonateLoggedOnUser($LogonTokenHandle) | |
| [System.Security.Principal.WindowsIdentity]::Impersonate($LogonTokenHandle) | |
| dir \\dc1\c$ # THIS WORKS AND SENDS CORRECT RUNAS USER | |
| get-process -computername dc1 # THIS WORKS AND SENDS CORRECT RUNAS USER | |
| Invoke-WmiMethod -Path Win32_process -Name create -ComputerName 'dc1' -ArgumentList 'calc.exe' # THIS DOESNT WORK AND SENDS WRONG USER - ACCESS DENIED 0x80070005 | |
| Get-WmiObject -Namespace "root\cimv2" -Class Win32_Process -Impersonation 3 -ComputerName dc1 # THIS DOESNT WORK AND SENDS WRONG USER - ACCESS DENIED 0x80070005 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment