SessionExec: Execute commands in other Sessions

SessionExec

SessionExec allows you to execute specified commands in other Sessions on Windows Systems, either targeting a specific session ID or All sessions, with the option to suppress command output.

The tool is inspired by the EOP COM Session Moniker exploit code, released a long time ago by James Forshaw.

SessionExec utilizes Windows APIs to query session information and create processes within those sessions.

Thoughts

If you find yourself being a local admin on one or multiple machines within a network, and there are user sessions on those targets, you could use SessionExec and Find-LocalAdminAccess together to check if any of those users have local admin access over other machines in the network.

If they do, you could then repeat the process for users having a session on those machines. This chain of actions could theoretically lead to a full domain compromise.

Additionally, you could obtain shells back using Amnesiac, capture NTLMv2 hashes and relay them, grab TGTs, and much much more, all in an automated fashion.

Use

SessionExec.exe <SessionID|All> <Command> [/NoOutput]

Invoke-SessionExec <SessionID|All> <Command> [/NoOutput]

Check what sessions are available using the quser command. Then run a command on a specific session, or All Sessions.

Download