The pass the hash technique is not new and it was usually used for lateral movement on the network in scenarios where the administrator password hash could not be cracked due to complexity or assessment time constraints. However, performing pass the hash with machine accounts instead of local administrators accounts is not very common even though it has been described in an article by Adam Chester years ago and could be used in scenarios where the host is part of an elevated group such as the domain admins.
Therefore not following the least privilege principle for machine accounts in the domain during red team operations could be leveraged for domain escalation if local administrator access has been granted on the host and the computer is a member of the “Domain Admins” group. This is achieved by utilizing the machine account of the host for accessing the sensitive resource (domain controller or any other host) using pass the hash technique.
Identification in which groups the host belongs is trivial by executing the following command from a PowerShell session:
Get-ADComputer -Filter * -Properties MemberOf | ? {$_.MemberOf}
From the output it is visible that the “HIVE” computer is part of the “Domain Admins” group.
An alternative approach is to query sensitive groups in order to identify machine accounts which are part of these groups.
net group "domain admins" /domain
From the perspective of the Active Directory this is visible by looking at the Properties of the computer on the Member Of tab.
In order to be able to leverage the privileges of the machine account for domain escalation the pass the hash technique can be used in combination with Mimikatz. The NTLM hash of the machine account can be extracted using the commands below:
privilege::debug
sekurlsa::logonPasswords
Mimikatz can be used to perform the pass the hash technique for the machine account to elevate access to domain admin.
sekurlsa::pth /user:HIVE$ /domain:purple.lab /ntlm:3405ab3646a3569f393327eeca53f3b2
From the new command prompt that will opened via Mimikatz resources on the domain controller are accessible which validates that the domain escalation has been achieved.
dir \\dc.purple.lab\c$