This is a quick blog post on how to elevate to SYSTEM without the need for PSEXEC when you are using PowerShell, or more specifcially in this case, PowerShell Remoting (WinRM).
First off, let me introduce my tool of choice here. It’s Evil-WinRM. I spoke about it in the Practical Exploitation video here: https://www.youtube.com/watch?v=tVgJ-9FJKxE, so I won’t go too far indepth. It’s essentially the only WinRM tool that I’ve found to work well in a non-Windows native situation (also you can proxy it through proxychains which is AWESOME!!).
Anyways.
I want to document how to run commands as SYSTEM without the use of PSEXEC. I found this technique on a 4sysops blog post called Running PowerShell Remotely As System with Invoke-CommandAs. Side-note you should definitely bookmark thier blog it’s great.
Invoke-CommandAs is not a native function of PowerShell, so you need to download it from the original author’s Github repo: https://github.com/mkellerman/Invoke-CommandAs
For our uses all you need to do is get these two particular files:
Here you can see me putting those two files into a scripts di ..
Support the originator by clicking the read the rest link below.
