runp

process::runp runs a subprocess under a parent process (Default parent process is LSASS.exe). It can also be used for lateral movement and process spoofing. It has the following command line arguments:

  • /run: the name of the process

  • /ppid: the parent process ID

  • /token: The specified token privileges to run the new process. It can be found with token::list

mimikatz # privilege::debug
Privilege '20' OK
mimikatz # process::runp /run:notepad.exe
[pid] no argument, default for LSASS
Run : notepad.exe
PPID: 712 <---------------- This is the pid of LSASS.exe
PID: 728 - TID: 2916
{0;000003e7} 1 D 22529734       NT AUTHORITY\SYSTEM     S-1-5-18        (04g,31p)       Primary

Run under a specified process

mimikatz # process::runp /run:notepad.exe /ppid:6388
Run : notepad.exe
PPID: 6388
PID: 7360 - TID: 8488
{0;000003e7} 1 D 23539338       NT AUTHORITY\SYSTEM     S-1-5-18        (11g,08p)       Primary

mshta payload execution example

mshta payload execution under a specified token

PreviousrunNextstart

Last updated