SessionExec

The SessionExec module is based on Leo4j's SessionExec, it uses a PowerShell port of the code Invoke-SessionExec.

This module will connect to the target system elevate to SYSETM and run a specified -command as each user on the system that exhibits a logon session.

For example, assuming the below output. We can see the remote host currently has the users standarduser and srv2019-admin within existing logon sessions. PsMapExec will execute a given command within each user context.

C:\Users\SRV2019-Admin>quser
 USERNAME              SESSIONNAME        ID  STATE   IDLE TIME  LOGON TIME
 standarduser                              1  Disc            7  04/08/2024 17:14
 srv2019-admin         console             2  Active      none   04/08/2024 17:18

Output for SessionExec is stored $PWD\PME\SCCM\.

Supported Methods

  • SMB

  • SessionHunter (WMI)

  • WMI

  • WinRM

Optional Parameters

ParameterValueDescription

-Command

Command

The command to run as each user, if not specified a simple "whoami" will be executed.

-ShowOutput

N/A

Displays each targets output to the console

-SuccessOnly

N/A

Display only successful results

Usage

# SMB execution with password authentication, targeting workstations
PsMapExec -Module SessionExec -Targets "Workstations" Method "SMB" -Username [User] -Password [Pass] -Command "whoami /all"

# WinRM execution with hash authentication, targeting servers
PsMapExec -Module SessionExec -Targets "Servers" -Username [User] -Hash [RC4/AES256/NTLM]  -Method "WinRM" -Command "whoami /all"

# WMI execution with Kerberos ticket authentication (Username not required)
PsMapExec -Module SessionExec -Targets "All" -Method "WMI" -Ticket [doI..] 

Last updated