Executable can be nxc, netexec, or crackmapexec
(User Account Control) limits which local users can do remote administration operations. And since most of the attacks exploiting pass-the-hash rely on remote admin operations, it affects this technique.
the registry key LocalAccountTokenFilterPolicy is set to 0 by default. It means that the built-in local admin account (RID-500, "Administrator") is the only local account allowed to do remote administration tasks. Setting it to 1 allows the other local admins as well. the registry key FilterAdministratorToken is set to 0 by default. It allows the built-in local admin account (RID-500, "Administrator") to do remote administration tasks. If set to 1, it doesn't. In short, by default, only the following accounts can fully take advantage of pass-the-hash:
local accounts : the built-in, RID-500, "Administrator" account domain accounts : all domain accounts with local admin rights
Testers should look out for environments with WinRM enabled. During the WinRM configuration, the Enable-PSRemoting sets the LocalAccountTokenFilterPolicy to 1, allowing all local accounts with admin privileges to do remote admin tasks, hence allowing those accounts to fully take advantage of pass-the-hash.
Just like with any other domain account, a machine account's NT hash can be used with pass-the-hash, but it is not possible to operate remote operations that require local admin rights (such as SAM & LSA secrets dump). These operations can instead be conducted after crafting a Silver Ticket or doing S4U2self abuse, since the machine accounts validates Kerberos tickets used to authenticate to a said computer/service.
A domain controller machine account's NT hash can be used with pass-the-hash to dump the domain hashes (NTDS.dit).