If a Windows program is run with ‘runas’ using the ‘/netonly’ argument is there any way to see what credentials are being used by it for the network? Similar to the way you might see a process is being run by a certain user in the task manager, or in ‘tasklist’ or in Get-Process?
Asked
Active
Viewed 337 times
1 Answers
3
Do the following as any user with administrative privileges. Naturally, this only works after the process -- that has been started with runas /netonly -- accessed a network resource.
- Open a command line with elevated permissions (Run as Administrator) and enter
klist sessions. - Search for the session where it says
Negotiate:NewCredentials(comes from the/netonlyswitch ➜ logon type 9) and that contains the username that executed therunascommand. - Note the session id, e.g. 0x154f7a8.
- Enter the command
klist -li 0x154f7a8. This will show you all the kerberos tickets for this session. The kerberos tickets are granted to the user account that was used for therunas /netonlycommand. If the command does not return any tickets, then the process has not yet accessed a network resource, thus did not receive a ticket yet. In that case I think your only chance is to use something like mimikatz to read the cached credentials from memory.
-
1Interesting info - would not work if only NTLM authentication is used though. – Greg Askew Dec 05 '19 at 19:17
-
@Daniel This is great, but it doesn't tell me which process id is associated with the ticket...(or is it just ...the last ticket listed from `klist -li
`?) – leeand00 Jan 16 '20 at 18:49 -
@Daniel So the processes go to the system that go to Keberos that retrieve the tgt that sends the system the ticket? – leeand00 Jan 17 '20 at 14:54