Presented on Saturday, April 24, 4pm @ Security BSides Boston:
# Title: Escalating privileges through Secondary Logon (RunAs) processes
# Abstract: The scenario: You target a sysadmin PC and obtain a backdoor shell through a browser exploit, PDF with embedded payload, or similar client-side vector. However, because the organization is using RunAs best practices, your shell is running with limited user privileges. Some RunAs-invoked programs are running under the sysadmin's Domain Admin account, but you can't directly migrate to these processes from a limited user shell. The RunAs framework indicates that a user-level process should not be allowed to send commands to a greater privilege process. Sounds fairly solid, but as always, there are exceptions..
Slide deck is available here: http://pdfcast.org/download/escalating-privileges-through-runas-processes.pdf
bSides Boston: http://www.securitybsides.com/BSidesBostonTalks