Privilege Escalation · Term

What are Potato attacks?

Potato attacks are a family of Windows exploits that turn the SeImpersonate privilege into full SYSTEM access by tricking a privileged process into authenticating to the attacker. Here is what they are and how to defend.

Privilege Escalation · TermAll services
TL;DR

Potato attacks are a family of Windows privilege-escalation techniques (JuicyPotato, RoguePotato, PrintSpoofer, GodPotato and others) that turn the SeImpersonatePrivilege held by service accounts into SYSTEM. They work by coercing a high-privilege Windows process to authenticate to the attacker, then using the impersonation privilege to steal its token. They are the go-to Windows escalation once an attacker lands as an IIS or SQL service account. The defence centres on patching and least-privilege service accounts.

By John Dill, Red Team Lead, SecureLayer7Updated

What Potato attacks are

The "Potato" family all solve the same problem: an attacker has SeImpersonatePrivilege (common on service accounts) but is not yet SYSTEM. Each Potato variant finds a way to make a SYSTEM-level process authenticate to a listener the attacker controls, so the attacker can impersonate that SYSTEM token.

The variants differ in how they trigger that authentication:

  • JuicyPotato: abuses DCOM/NTLM on older Windows.
  • RoguePotato: a later variant for patched DCOM behaviour.
  • PrintSpoofer: abuses the print spooler service.
  • GodPotato: a broad, modern variant.

The abuse and payload

The attacker confirms SeImpersonate, then runs the variant that fits the target:

  • Confirm: whoami /priv shows SeImpersonatePrivilege enabled.
  • Run, for example: PrintSpoofer.exe -i -c cmd or GodPotato -cmd "cmd /c whoami"
  • The tool coerces a SYSTEM process to authenticate, impersonates its token, and spawns a shell as NT AUTHORITY\SYSTEM.

Which variant works depends on the Windows version and patch level. Documented techniques shown for defenders.

How to defend

  • Patch promptly, since specific Potato variants rely on bugs Microsoft has addressed over time.
  • Remove SeImpersonatePrivilege from accounts that do not need it, and use least-privilege managed service accounts.
  • Harden and limit the print spooler and DCOM where feasible (PrintSpoofer abuses the spooler).
  • Segment so a compromised web or database service cannot easily reach more.
  • Detect the named-pipe and token-impersonation patterns these tools produce.

References

  1. [1]MITRE ATT&CK: Privilege Escalation (TA0004)(MITRE)
  2. [2]Microsoft: Privilege Constants (Windows)(Microsoft)
  3. [3]NIST SP 800-115 Technical Guide to Security Testing(NIST)
Related terms

Common questions

Privilege escalation, asked often

Want your systems tested for these paths?

Scope an engagement

Find the privilege-escalation paths before an attacker does.

We run internal and host penetration tests that walk the real route from a low-privileged foothold to root or SYSTEM, then hand your team a report with reproducible evidence and a fix for every step. Free re-test included.

See all services30-min scoping call, fixed-price proposal in 48 hours.