Pass-the-hash

Empire’s credentials/mimikatz/pth module¬†implements pass-the-hash through Invoke-Mimikaz’s sekurlsa::pth¬†function. This patches in the particular NTLM hash into LSASS memory, turning it into a kerberos ticket. This will work for domain accounts (“overpass-the-hash”), as well as local machine accounts. Note that you need local admin privileges on the machine to accomplish this.

The pth module can accept a CredID from the internal credential store. There’s also an alias in the agent menu, pth . This will execute a hidden cmd.exe process with the specified credentials (note the process ID that’s created). You can then steal the token associated with this credential set usingcredentials/tokens, or the steal_token alias. The revtoself alias will revert token privileges back to their original state.

empire_pth

empire_pth_stealtoken