BIPI
BIPI

Token Impersonation and SeImpersonate Abuse: Potato Family Exploits

Cybersecurity

How SeImpersonatePrivilege turns a service account into SYSTEM. A walkthrough of the Potato lineage, from RottenPotato to PrintSpoofer, JuicyPotatoNG, GodPotato, and RemotePotato0.

By Arjun Raghavan, Security & Systems Lead, BIPI · April 5, 2025 · 12 min read

#windows#tokens#potato#seimpersonate#red-team

Why SeImpersonate is the crown jewel

SeImpersonatePrivilege lets a thread impersonate any client that connects to it. If you can coerce a SYSTEM process to authenticate to your local named pipe or RPC endpoint, you grab a SYSTEM token. Every IIS app pool, every MSSQL service, every WMI worker ships with it.

The original sin: RottenPotato

RottenPotato (2016) used a local NTLM relay through BITS/COM to coerce SYSTEM auth. It worked, it was unreliable, and Microsoft slowly patched the relay path. Every subsequent Potato is a variation on the coercion primitive.

The family tree

  • JuicyPotato: BITS COM marshalling, killed by CLSID lockdown in Server 2019
  • RoguePotato: revives the technique via OXID resolver redirection on port 135
  • PrintSpoofer: abuses MS-RPRN spooler to coerce SYSTEM over named pipe
  • JuicyPotatoNG: PrintSpoofer style with extra CLSID coverage on Server 2022
  • GodPotato: uses DCOM OXID and works across all modern Windows builds
  • RemotePotato0: cross-session NTLM relay, useful when local fails
  • SweetPotato: aggregator that picks the working technique automatically

PrintSpoofer in practice

GodPotato when Spooler is disabled

How the coercion actually works

  1. Attacker (with SeImpersonate) opens a named pipe or COM endpoint
  2. Coerce SYSTEM to authenticate by calling RPC like RpcRemoteFindFirstPrinterChangeNotification
  3. SYSTEM connects, attacker thread impersonates the inbound token
  4. DuplicateTokenEx upgrades impersonation to a primary token
  5. CreateProcessWithTokenW or CreateProcessAsUser spawns SYSTEM shell

Where you find SeImpersonate

  • IIS application pools (DefaultAppPool, w3wp.exe)
  • MSSQL service via xp_cmdshell or xp_dirtree relay
  • Exchange transport and IIS roles, classic Hafnium-era foothold
  • Any service running as a virtual account or NETWORK SERVICE

Detection signals

Sysmon Event 1 with parent w3wp.exe spawning cmd.exe or whoami is a near-certain Potato. Event 4672 with anonymous logon sources, plus rapid named pipe creation under the service account, is the canonical pattern. Defender for Endpoint has a dedicated Potato detection but recompiled variants slip past.

Defenses that hold

  • Strip SeImpersonate from web app pools (use full-trust very sparingly)
  • Disable Spooler on servers that do not print (kills PrintNightmare and PrintSpoofer at once)
  • Enable RPC filters to block OXID resolution from non-loopback
  • Deploy WDAC or AppLocker to block unsigned beacons in temp paths
  • Defender ASR: "Block process creations originating from PSExec and WMI commands"
<30s
Time from web RCE to SYSTEM with GodPotato
Win10 1809 to Server 2022
Windows server builds GodPotato works on
100%
IIS hosts with SeImpersonate enabled by default
A web shell in IIS is not a low-priv shell. It is a one-command-from-SYSTEM shell.

Wrap

The Potato family will keep mutating because the underlying primitive, impersonation of any inbound token, is a Windows feature. Defenders win by removing SeImpersonate from web tiers and turning off the Spooler.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.