Pass the Hash (NTLM)

Limitations

  • UAC limits the local users ability

  • If the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy is set to 0

    • only the built-in admin can perform remote administration tasks

    • setting it to 1 will allow other local admins

  • If FilterAdministratorToken (disabled by default) is enabled, the RID 500 (even if renamed) is enrolled in UAC, which means PTH will fail when using the account

Bypassing UAC

  • tried when error in sekurlsa::logonpasswords

https://raw.githubusercontent.com/FuzzySecurity/PowerShell-Suite/master/Bypass-UAC/Bypass-UAC.ps1

PreviousWindows Lateral MovementNextUsing Windows

Last updated