Pass-the-Hash
NamedPipePTH
Impersonate a user with Pass-the-Hash for local actions (network authentication does not work with Impersonation Token
, only with Delegation Token
):
Can be used for authenticating in SQL Server management tools (%PROGRAMFILES(X86)%\Microsoft SQL Server Management Studio 18\Common7\IDE\Ssms.exe
) and accessing DBs with SQL admin hash, for example.
PtH Notes
User Account Control
LocalAccountTokenFilterPolicy & FilterAdministratorToken
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
If LocalAccountTokenFilterPolicy
exists and is set to 1
(doesn't exist by default), remote connections from all local admins are not affected by UAC and PtH will succeed:
If FilterAdministratorToken
exists and is set to 1
(doesn't exist by default), builtin local admin account (RID 500) is affected by UAC and PtH will fail:
Add:
Cleanup:
Last updated