Elevate with Known Credentials

1) runas [DOMAIN\user] [PASSWORD] [COMMAND]

• This runs a command as another user using their credentials. The runas command will not return any output. You may use runas from a non- privileged context though.

2) spawnas [DOMAIN\user] [PASSWORD] [LISTENER]

• This command spawns a session as another user using their credentials. This command spawns a temporary process and injects your payload stage into it.

You may also go to [beacon] -> Access -> Spawn As to run this command as well.

TIP: With both of these commands, be aware that credentials for a non-SID 500 account will spawn a payload in a medium integrity context. You will need to use Bypass UAC to elevate to a high integrity context. Also, be aware, that you should run these commands from a working folder that the specified account can read.