s4u is a demonstration program using the Service For User Logon (S4U) Extension of the MSV1_0 Authentication Package.
It allows the creation of a cmd.exe
with the context of any user without requiring the password.
The invoking user must have the following privileges (aka User Rights; aka Account Rights):
SeTcbPrivilege
: Act as part of the operating system.SeIncreaseQuotaPrivilege
: Adjust memory quotas for a process.SeAssignPrimaryTokenPrivilege
: Replace a process-level token.
The invoked user must have the following privilege:
SeBatchLogonRight
: Log on as a batch job.
You can use the Carbon Grant-Privilege PowerShell cmdlet to grant the privileges.
To grant the privileges to the current user and create a test user
execute:
choco install -y carbon
Import-Module Carbon
Grant-Privilege $env:USERNAME 'SeTcbPrivilege'
Grant-Privilege $env:USERNAME 'SeIncreaseQuotaPrivilege'
Grant-Privilege $env:USERNAME 'SeAssignPrimaryTokenPrivilege'
New-LocalUser `
-Name user `
-Password (ConvertTo-SecureString 'HeyH0Password' -AsPlainText -Force) `
-PasswordNeverExpires `
| Out-Null
Grant-Privilege user 'SeBatchLogonRight'
Restart-Computer
Create a cmd.exe with a local user security context:
s4u.exe .\user
Create a cmd.exe with a domain user security context:
s4u.exe DOMAIN\user
Create a cmd.exe with and add specific SID:
s4u.exe .\user S-1-5-18