Windows Token Abuse: SeImpersonatePrivilege and Potato Variants

Analyzing how Windows access tokens enable local privilege escalation through SeImpersonatePrivilege abuse and modern Potato-family exploits.

Sivabalan Chandra Sekaran2 min read

Background

Windows access tokens represent a security context for a logged-on user. When a service account holds SeImpersonatePrivilege, it can impersonate tokens of clients connecting to it — a primitive that has powered an entire class of local privilege escalation exploits.

Token Internals

Each process maintains a primary token and may create impersonation tokens. The SeImpersonatePrivilege allows impersonation at SecurityImpersonation level, sufficient to execute code as the impersonated user.

// Simplified view of relevant structures
typedef struct _TOKEN {
    TOKEN_SOURCE TokenSource;
    LUID TokenId;
    LUID AuthenticationId;
    LUID ModifiedId;
    // ...
    PTOKEN_USER User;
    PSID_AND_ATTRIBUTES Groups;
} TOKEN, *PTOKEN;

The Potato Family

ExploitMechanismRequirements
Juicy PotatoCOM activationSeImpersonate, Windows ≤ Server 2016
Rogue PotatoRPC redirectionSeImpersonate
PrintSpooferSpooler serviceSeImpersonate
GodPotatoDCOMSeImpersonate

PrintSpoofer in Practice

When Spooler runs as SYSTEM and accepts connections from impersonation-capable accounts:

# Verify privilege
whoami /priv
# Look for SeImpersonatePrivilege

# Execute PrintSpoofer
.\PrintSpoofer.exe -i -c cmd

The exploit triggers RPC authentication, captures the SYSTEM token via RpcImpersonateClient, and spawns a process with duplicated primary token.

Detection

title: SeImpersonate Privilege Assignment
logsource:
    product: windows
detection:
    selection:
        EventID: 4672
        PrivilegeList|contains: 'SeImpersonatePrivilege'
    condition: selection

Monitor for:

  • CreateProcess events where parent is a service with SeImpersonatePrivilege
  • Unexpected NT AUTHORITY\SYSTEM token creation from non-system parents
  • Spooler/RPC activity from web service accounts

Mitigation

  1. Remove SeImpersonatePrivilege from service accounts where not required
  2. Run services as Virtual Accounts or gMSA with minimal privileges
  3. Apply Microsoft patches addressing specific COM/RPC abuse paths
  4. Use Windows Defender Application Control to block known exploit binaries

References

  1. Rotten Potato — Stephen Breen
  2. PrintSpoofer — itm4n

Share this research

Related Research