Why does mimikatz's `process::start` command fail to create a process using an impersonated token from a net session, and how can this be overcome?

Question

Why does mimikatz's `process::start` command fail to create a process using an impersonated token from a net session, and how can this be overcome?

Accepted Answer

When mimikatz impersonates a token via `token::elevate`, it only changes the Thread Token (Impersonation Token), but `process::start` uses `CreateProcess` without passing a token, so the new process runs under the original primary token. To successfully create a process with the net session's token, you either need to modify mimikatz source code to use `CreateProcessAsUser` or use a tool like incognito, as described in Penetration Techniques - Token Theft and Exploitation.

Why does mimikatz's `process::start` command fail to create a process using an impersonated token from a net session, and how can this be overcome?

Explore More Q&A