LMhash
can be empty) (see dumping credentials from registry hives).bh_owned
has the ability to set targets as "owned" in BloodHound (see dumping credentials from registry hives).LMhash
can be empty).LMhash
can be ffffffffffffffffffffffffffffffff
).LocalAccountTokenFilterPolicy
is set to 0
by default. It means that the built-in local admin account (RID-500, "Administrator") is the only local account allowed to do remote administration tasks. Setting it to 1
allows the other local admins as well.FilterAdministratorToken
is set to 0
by default. It allows the built-in local admin account (RID-500, "Administrator") to do remote administration tasks. If set to 1
, it doesn't.Enable-PSRemoting
sets the LocalAccountTokenFilterPolicy
to 1
, allowing all local accounts with admin privileges to do remote admin tasks, hence allowing those accounts to fully take advantage of pass-the-hash.