Windows Token Abuse: SeImpersonatePrivilege and Potato Variants
Analyzing how Windows access tokens enable local privilege escalation through SeImpersonatePrivilege abuse and modern Potato-family exploits.
Background
Windows access tokens represent a security context for a logged-on user. When a service account holds SeImpersonatePrivilege, it can impersonate tokens of clients connecting to it — a primitive that has powered an entire class of local privilege escalation exploits.
Token Internals
Each process maintains a primary token and may create impersonation tokens. The SeImpersonatePrivilege allows impersonation at SecurityImpersonation level, sufficient to execute code as the impersonated user.
// Simplified view of relevant structures
typedef struct _TOKEN {
TOKEN_SOURCE TokenSource;
LUID TokenId;
LUID AuthenticationId;
LUID ModifiedId;
// ...
PTOKEN_USER User;
PSID_AND_ATTRIBUTES Groups;
} TOKEN, *PTOKEN;
The Potato Family
| Exploit | Mechanism | Requirements |
|---|---|---|
| Juicy Potato | COM activation | SeImpersonate, Windows ≤ Server 2016 |
| Rogue Potato | RPC redirection | SeImpersonate |
| PrintSpoofer | Spooler service | SeImpersonate |
| GodPotato | DCOM | SeImpersonate |
PrintSpoofer in Practice
When Spooler runs as SYSTEM and accepts connections from impersonation-capable accounts:
# Verify privilege
whoami /priv
# Look for SeImpersonatePrivilege
# Execute PrintSpoofer
.\PrintSpoofer.exe -i -c cmd
The exploit triggers RPC authentication, captures the SYSTEM token via RpcImpersonateClient, and spawns a process with duplicated primary token.
Detection
title: SeImpersonate Privilege Assignment
logsource:
product: windows
detection:
selection:
EventID: 4672
PrivilegeList|contains: 'SeImpersonatePrivilege'
condition: selection
Monitor for:
CreateProcessevents where parent is a service withSeImpersonatePrivilege- Unexpected
NT AUTHORITY\SYSTEMtoken creation from non-system parents - Spooler/RPC activity from web service accounts
Mitigation
- Remove
SeImpersonatePrivilegefrom service accounts where not required - Run services as Virtual Accounts or gMSA with minimal privileges
- Apply Microsoft patches addressing specific COM/RPC abuse paths
- Use Windows Defender Application Control to block known exploit binaries
References
Share this research
Related Research
Linux Privilege Escalation: Exploiting Misconfigurations in Production Environments
Systematic approach to identifying and exploiting common Linux privilege escalation vectors including SUID binaries, capabilities, and cron misconfigurations.
Active Directory Kerberoasting: From SPN Enumeration to Offline Cracking
A defender-focused deep dive into Kerberoasting mechanics, detection opportunities, and hardening recommendations for enterprise Active Directory environments.