[go: up one dir, main page]

Skip to content

Leo4j/SessionExec

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
 
 
 
 
 
 

Repository files navigation

SessionExec

SessionExec allows you to execute specified commands in other Sessions on Windows Systems, either targeting a specific session ID or All sessions, with the option to suppress command output.

The tool is inspired to the EOP COM Session Moniker exploit code, released a long time ago by James Forshaw.

SessionExec utilises Windows APIs to query session information and create processes within those sessions.

Compile SessionExec.cs running the following command from Build Tools for Visual Studio

csc /reference:System.Runtime.InteropServices.dll /reference:System.Runtime.InteropServices.RuntimeInformation.dll SessionExec.cs /out:SessionExec.exe

Or you can use Invoke-SessionExec.ps1 which is the same script, but runs in memory using Reflective Load method.

iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/Leo4j/SessionExec/main/Invoke-SessionExec.ps1')

You can also find a pure powershell implementation of this tool coded by The-Viper-One here

⚠️ NOTE: SYSTEM privileges are required to run this tool successfully. To elevate from Administrator to SYSTEM, use Invoke-RunAsSystem

Usage

SessionExec.exe <SessionID|All> <Command> [/NoOutput]
Invoke-SessionExec <SessionID|All> <Command> [/NoOutput]

Check what sessions are available using the quser command. Then run a command on a specific session, or All Sessions.

image

Thoughts

If you find yourself being a local admin on one or multiple machines within a network, and there are user sessions on those targets, you could use SessionExec and Find-LocalAdminAccess together to check if any of those users have local admin access over other machines in the network.

If they do, you could then repeat the process for users having a session on those machines. This chain of actions could theoretically lead to a full domain compromise.

Additionally, you could obtain shells back using Amnesiac, capture NTLMv2 hashes and relay them, grab TGTs, and much much more, all in an automated fashion.

I'll implement this concept into Amnesiac, and together with The-Viper-One we are working on implementing it into PsMapExec too.

For now, here is a Proof of Concept (PoC):

SessionExec

About

Execute commands in other Sessions

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published