1.5 KiB
+++ title = "pth" chapter = false weight = 103 hidden = false +++
{{% notice info %}} Artifacts Generated: Process Create, Process Inject, Process Kill {{% /notice %}}
Summary
Use mimikatz's sekurlsa::pth module to spawn a new process with a user's Kerberos keys.
Arguments
Domain
Domain that the specified user is part of.
User
Username for which you've obtained credential material for.
NTLM
NTLM password hash of the specified user.
AES128 (Optional)
The AES128 key of the user. Used for over pass the hash.
AES256 (Optional)
The AES256 key of the user. Used for over pass the hash.
Run (Optional)
Program to spawn using alternate credentials. Default: cmd.exe.
{{% notice info %}}
When choosing a program to spawn, consider whether or not you need the process to be long-lived. A process that spawns and exits immediately will not be a good candidate to perform steal_token against, for example, as the process will no longer exist when attempting to impersonate the credential material.
{{% /notice %}}
Usage
pth -Domain [domain.local] -User [username] -NTLM [ntlm_hash_val] [-AES128 [aes_128_val] -AES256 [aes_256_val] -Run [cmd.exe]]
Example
pth -Domain contoso.local -User djhohnstein -NTLM 21BC7DCD88EE195ECF3728677A47815B
pth -Domain contoso.local -User djhohnstein -NTLM 21BC7DCD88EE195ECF3728677A47815B -Run powershell.exe
MITRE ATT&CK Mapping
- T1550