SCShell

Since the OpenSCManagerW authentication API executes in the context of the access token of the thread, we can PTH this technique as well. Use Mimikatz to launch the application with the sekurlsa::pth command

Without creating a new service. Does not perform authentication against SMB. Everything is performed over DCERPC

Tooling

• https://github.com/Mr-Un1k0d3r/SCShell