SeImpersonatePrivilege is a Windows privilege that allows a process to impersonate the security token of another account that connects to it. It is granted by default to service accounts like those running IIS and SQL Server, which is exactly why it is the most common Windows escalation path: an attacker who lands as such a service account uses a Potato attack to trick a SYSTEM process into authenticating, captures its token, and becomes SYSTEM. The first check on any Windows host is whoami /priv.
What SeImpersonatePrivilege is
Windows uses access tokens to represent a logged-in identity. SeImpersonatePrivilege lets a process act using another account’s token when that account authenticates to it, a legitimate need for services that handle requests on behalf of users.
The catch is that many service accounts hold this privilege by default. If an attacker runs code as one of them (for example via a web shell on IIS), they hold a privilege that can be turned into full SYSTEM access.
The abuse and payload
The attacker confirms the privilege, then uses a Potato tool to capture a SYSTEM token:
- Check:
whoami /privand look for SeImpersonatePrivilege = Enabled. - Run a Potato exploit that coerces a privileged process to authenticate and impersonates its token:
PrintSpoofer.exe -i -c cmdorGodPotato -cmd "cmd /c whoami". - The result is a shell running as NT AUTHORITY\SYSTEM.
These tools (PrintSpoofer, RoguePotato, JuicyPotato, GodPotato) all rely on SeImpersonate. Shown for defensive context.
How to defend
- Patch promptly, since several Potato techniques rely on bugs Microsoft has fixed over time.
- Run services with the least privilege needed, and prefer virtual or managed service accounts with reduced rights.
- Limit what a compromised web or database service can do (segmentation, restricted file write).
- Detect Potato-style named-pipe and token-impersonation behaviour.
- Avoid granting SeImpersonate to accounts that do not require it.