first commit

documentation-payload/apollo/commands/pth.md

@@ -0,0 +1,55 @@
++++
+title = "pth"
+chapter = false
+weight = 103
+hidden = false
++++
+
+{{% notice info %}}
+Artifacts Generated: Process Create, Process Inject, Process Kill
+{{% /notice %}}
+
+## Summary
+Use mimikatz's `sekurlsa::pth` module to spawn a new process with a user's Kerberos keys.
+
+### Arguments
+#### Domain
+Domain that the specified user is part of.
+
+#### User
+Username for which you've obtained credential material for.
+
+#### NTLM
+NTLM password hash of the specified user.
+
+#### AES128 (Optional)
+The AES128 key of the user. Used for over pass the hash.
+
+#### AES256 (Optional)
+The AES256 key of the user. Used for over pass the hash.
+
+#### Run (Optional)
+Program to spawn using alternate credentials. Default: cmd.exe.
+
+{{% notice info %}}
+When choosing a program to spawn, consider whether or not you need the process to be long-lived. A process that spawns and exits immediately will not be a good candidate to perform `steal_token` against, for example, as the process will no longer exist when attempting to impersonate the credential material.
+{{% /notice %}}
+
+## Usage
+```
+pth -Domain [domain.local] -User [username] -NTLM [ntlm_hash_val] [-AES128 [aes_128_val] -AES256 [aes_256_val] -Run [cmd.exe]]
+```
+
+Example
+```
+pth -Domain contoso.local -User djhohnstein -NTLM 21BC7DCD88EE195ECF3728677A47815B
+pth -Domain contoso.local -User djhohnstein -NTLM 21BC7DCD88EE195ECF3728677A47815B -Run powershell.exe
+```
+
+
+## MITRE ATT&CK Mapping
+
+- T1550
+
+### Resrouces
+- [mimikatz](https://github.com/gentilkiwi/mimikatz)