Mimikatz’s sekurlsa::pth documentation states:
mimikatz can perform the well-known operation ‘Pass-The-Hash’ to run a
process under another credentials with NTLM hash of the user’s
password, instead of its real password.
For this, it starts a process with a fake identity, then replaces fake
information (NTLM hash of the fake password) with real information
(NTLM hash of the real password).
What does this mean concretely? I’m under the impression that it doesn’t simply authenticate as another user using the hash and then run a program (essentially runas with pass-the-hash), but does something a bit more involved.
This is also visible from event logs: when using any tool to do remote pth – e.g. CrackMapExec – this generates an event 4624 with logon type 3 (network logon) and standard characteristics, making it more or less indistinguishable from normal authentication. This is expected; it shouldn’t be distinguishable from normal authentication.
However, when using
sekurlsa::pth, the events generated are more peculiar: it’s still event 4624; however, it comes with logon type 9 (NewCredentials: A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.), which is pretty uncommon. If I understand this correctly, it means that the new logon session doesn’t really run a process under another credentials; or rather, not on the local machine. Instead, it creates a session under the current user that can then be used to run processes remotely under the target user.
So, what does mimikatz’s
sekurlsa::pth do under the hood? And if my understanding is correct, what’s the advantage over "regular" pass-the-hash?