Runas

The runas /netonly command let us run a remote application just like it is running locally. Consider the following scenario: we get a non-admin credential from SMB info leak and we are looking for a way to get shell. Since the credential is non-admin, we can't do psexec. Instead, we can switch to a Windows VM, open up command prompt and run the following command to get shell:

runas /netonly /user:<domain>\<username> cmd

Since the password cannot be supplied as an argument, the session must be interactive.

Reference

Pretend You’re On The Domain With Runas /NetOnly

Pretend You're On The Domain With Runas /NetOnly