How to Detect Token Impersonation Attacks on Windows

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Windows access tokens are the security credentials that determine what resources a process can access. Every process has a primary token (set at creation) and can acquire impersonation tokens from other users: which is a legitimate feature for services that need to act on behalf of clients.
Attackers abuse this mechanism in two ways: by stealing tokens from privileged processes (token theft via Mimikatz token::elevate or Metasploit Incognito), and by abusing SeImpersonatePrivilege held by service accounts to force SYSTEM to impersonate them (Potato attack family). Both result in attacker code running with privileges well above the initial compromise level.
Token Impersonation Techniques
Technique 1: Token theft from privileged processes (Mimikatz/Incognito)
# Mimikatz token elevation: steals a token from a SYSTEM process
mimikatz# privilege::debug # Get SeDebugPrivilege
mimikatz# token::elevate # Impersonate SYSTEM by stealing token from winlogon.exe
mimikatz# sekurlsa::logonpasswords # Now running as SYSTEM: can dump all hashes
# Metasploit Incognito (enumerate available tokens)
meterpreter> use incognito
meterpreter> list_tokens -u
# Output:
# Delegation Tokens Available:
# CORP\DomainAdmin ← Domain admin is logged in and their token is available
# NT AUTHORITY\SYSTEM
#
meterpreter> impersonate_token "CORP\DomainAdmin"
Technique 2: SeImpersonatePrivilege abuse (Potato attacks)
Services running as NetworkService, LocalService, or IIS AppPool identities have SeImpersonatePrivilege. Potato attacks create a named pipe server that tricks SYSTEM or Network Service into connecting, then impersonate that connection token.
# PrintSpoofer (modern Potato variant: works on Windows 10, Server 2019/2022)
PrintSpoofer.exe -i -c cmd.exe
# Result: cmd.exe running as NT AUTHORITY\SYSTEM
# JuicyPotato (older, requires specific CLSID)
JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -t * -c {CLSID}
# RoguePotato (uses NTLM relay instead of CLSID)
RoguePotato.exe -r 10.0.0.100 -e "cmd.exe" -l 9999
Technique 3: CreateProcessWithToken API
// Attacker code that opens a privileged process token and spawns a new process with it
IntPtr hToken;
OpenProcessToken(privilegedProcessHandle, TOKEN_ALL_ACCESS, out hToken);
DuplicateTokenEx(hToken, ..., SecurityImpersonation, TokenPrimary, out hDupToken);
CreateProcessWithTokenW(hDupToken, 0, "cmd.exe", null, ...)
// Result: cmd.exe inherits the stolen token's privileges
Detection: Event Log Signals
Event ID 4672: Special privileges assigned to new logon:
When a token with special privileges is used to create a new logon session, Event 4672 is logged. This fires legitimately for admin logons but becomes suspicious when the subject account is a service account or when specific dangerous privileges appear.
// Sentinel KQL: detect dangerous privilege assignments from service accounts
SecurityEvent
| where EventID == 4672
| where TimeGenerated > ago(24h)
// Privileges that enable token manipulation:
| where PrivilegeList contains "SeImpersonatePrivilege"
or PrivilegeList contains "SeAssignPrimaryTokenPrivilege"
or PrivilegeList contains "SeTcbPrivilege" // Act as part of OS: rarely legitimate
or PrivilegeList contains "SeCreateTokenPrivilege" // Create arbitrary tokens: almost never legitimate
// Filter service accounts where these are anomalous
| where SubjectUserName !in~ ("SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE") // Expected
or PrivilegeList contains "SeCreateTokenPrivilege" // Never legitimate for most accounts
| summarize count() by SubjectUserName, PrivilegeList, Computer
| sort by count_ desc
Event ID 4688: A new process was created (with parent-child anomalies):
// Detect cmd.exe or PowerShell spawned by IIS (w3wp.exe) or SQL Server (sqlservr.exe)
// These are the typical service accounts that have SeImpersonatePrivilege
SecurityEvent
| where EventID == 4688
| where ParentProcessName has_any ("w3wp.exe", "sqlservr.exe", "msdtc.exe", "services.exe")
and NewProcessName has_any ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe",
"JuicyPotato.exe", "PrintSpoofer.exe", "RoguePotato.exe")
| project TimeGenerated, Computer, SubjectUserName, ParentProcessName, NewProcessName, CommandLine
| sort by TimeGenerated desc
Sysmon Event ID 10: Process Access (token theft via OpenProcessToken):
<!-- Sysmon config to detect token theft: watching for OpenProcess on lsass.exe
or winlogon.exe with token-relevant access masks -->
<EventFiltering>
<ProcessAccess onmatch="include">
<!-- Access masks: 0x1000 (PROCESS_QUERY_INFORMATION) + 0x40 (DUP_HANDLE) = token theft -->
<TargetImage condition="is">C:\Windows\System32\winlogon.exe</TargetImage>
<TargetImage condition="is">C:\Windows\System32\lsass.exe</TargetImage>
<GrantedAccess condition="is">0x1040</GrantedAccess> <!-- QueryInfo + DupHandle -->
<GrantedAccess condition="is">0x1400</GrantedAccess> <!-- QueryInfo + QueryLtdInfo -->
</ProcessAccess>
</EventFiltering>
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Detection: Potato Attack Specific Signals
Potato attacks create named pipes, trigger SYSTEM authentication, and then impersonate: generating detectable named pipe and impersonation events.
Sysmon Event ID 17/18: Named Pipe Created/Connected:
// Detect suspicious named pipe creation by non-system processes (Potato attacks)
SysmonEvent
| where EventID in (17, 18)
| where TimeGenerated > ago(24h)
// PrintSpoofer creates pipes like \pipe\spoolss or \pipe\SPOOLSS
| where PipeName contains_any ("spoolss", "PIPE", "RPC")
and Image !contains "\\Windows\\System32\\"
and Image !contains "\\Windows\\SysWOW64\\"
| project TimeGenerated, Computer, Image, PipeName, User
Network connection from SYSTEM after Potato attack:
// PrintSpoofer forces SpoolSS to connect back: detect SYSTEM connecting to localhost
SysmonEvent
| where EventID == 3 // Network connection
| where User == "NT AUTHORITY\\SYSTEM"
and DestinationIp == "127.0.0.1"
and DestinationPort > 1024 // Unusual high port: attacker's named pipe server
| project TimeGenerated, Computer, Image, DestinationIp, DestinationPort
Mitigation: remove SeImpersonatePrivilege from unnecessary accounts:
# Use secedit to audit SeImpersonatePrivilege assignments
secedit /export /cfg C:\temp\secpolicy.cfg /areas USER_RIGHTS
Select-String -Path C:\temp\secpolicy.cfg -Pattern "SeImpersonatePrivilege"
# Output: SeImpersonatePrivilege = *S-1-5-20,*S-1-5-19,*S-1-5-6,...
# Remove SeImpersonatePrivilege from accounts that don't need it
# Accounts that legitimately need it: IIS AppPool, SQL Server service accounts, COM+ apps
# IIS mitigation: run application pools as custom service accounts with minimal rights
# (NOT as built-in NetworkService which has SeImpersonatePrivilege)
# Configure via GPO:
# Computer Configuration > Windows Settings > Security Settings > Local Policies >
# User Rights Assignment > "Impersonate a client after authentication"
# Remove: Everyone, Users: keep only specific service accounts that require it
The bottom line
Token impersonation attacks escalate from service account to SYSTEM (Potato attacks using SeImpersonatePrivilege) or steal privileged tokens from running processes (Mimikatz token::elevate, Incognito). Detection: Event ID 4672 for dangerous privilege assignments, Event 4688 parent-child anomalies (cmd.exe spawned by w3wp.exe), Sysmon Event 10 for OpenProcessToken calls on winlogon.exe, and Sysmon Events 17/18 for named pipe creation by non-system processes. Mitigation: remove SeImpersonatePrivilege from accounts that do not require it and run IIS application pools as custom accounts with minimal rights rather than NetworkService.
Frequently asked questions
What is Windows token impersonation?
Windows token impersonation is an attack where a low-privilege process steals or assumes the security token of a higher-privilege process: gaining that process's permissions without knowing the target account's credentials. Common implementations include Potato attacks (abusing SeImpersonatePrivilege to escalate to SYSTEM) and Mimikatz token::elevate (stealing tokens from privileged processes like winlogon.exe).
How do you detect Potato attacks and token impersonation?
Monitor Event ID 4688 for cmd.exe or PowerShell spawned by IIS (w3wp.exe) or SQL Server processes (SeImpersonatePrivilege holders), Event ID 4672 for SeCreateTokenPrivilege or SeAssignPrimaryTokenPrivilege on service accounts, Sysmon Event 10 for OpenProcess calls on winlogon.exe or lsass.exe with token-relevant access masks, and Sysmon Events 17/18 for named pipe creation by non-system processes (Potato attacks create named pipes to trigger SYSTEM authentication).
What is Windows token impersonation and how do attackers abuse it?
Windows access tokens are kernel objects that represent the security context of a process or thread: they carry the user identity, group memberships, and privileges. SeImpersonatePrivilege allows a process to impersonate another user's token. Attackers with a service account that has SeImpersonatePrivilege (IIS, SQL Server, and many other service accounts have this by default) can use Potato-family exploits (PrintSpoofer, RoguePotato, GodPotato) to coerce SYSTEM-level authentication from Windows, then impersonate the SYSTEM token — escalating from a service account to SYSTEM privileges without exploiting a code vulnerability.
How do Potato attacks work in Windows privilege escalation?
Potato attacks exploit Windows COM object interactions and token impersonation. The attack flow: an attacker running as a service account creates a named pipe and registers a COM object that causes SYSTEM to authenticate to their pipe; when the SYSTEM process connects, the attacker captures and impersonates the SYSTEM token using SeImpersonatePrivilege. Modern variants (PrintSpoofer, GodPotato) target different COM objects and printer spooler coercion paths. The defense: remove SeImpersonatePrivilege from service accounts that do not need it; this privilege is required by IIS application pools and SQL Server but is often granted unnecessarily to third-party service accounts. Check SeImpersonatePrivilege assignments with: Get-ADUser -Filter * -Properties PasswordLastSet | Where service account names.
How do I prevent privilege escalation from service accounts on Windows?
Service account privilege escalation prevention: (1) Remove SeImpersonatePrivilege from service accounts that do not need it — audit with 'whoami /priv' on accounts running services. (2) Migrate service accounts to gMSAs: Group Managed Service Accounts run with minimal privileges and automatically rotated passwords. (3) Run IIS application pools under least-privileged identities ('ApplicationPoolIdentity' virtual accounts) rather than domain service accounts. (4) Enable Windows Defender Exploit Protection on service host processes to restrict dangerous API calls. (5) Monitor for Potato attack tool signatures in EDR: PrintSpoofer, GodPotato, and RoguePotato all have known process and file signatures. (6) Patch Windows promptly: Microsoft has patched some Potato variants at the OS level in cumulative updates.
How do I write a Sysmon configuration to detect token impersonation without generating excessive noise?
Effective Sysmon coverage for token impersonation focuses on three event types with targeted filters. For Event ID 10 (ProcessAccess), target TargetImage values of lsass.exe and winlogon.exe and filter for GrantedAccess values that include 0x0040 (DuplicateHandle) combined with 0x0400 (QueryInformation) -- the access mask combination required to steal a token. Exclude known-legitimate callers such as MsMpEng.exe (Defender), svchost.exe accessing lsass for standard authentication, and your EDR agent process by specifying their full paths in exclude rules. For Event ID 17 and 18 (PipeEvent), monitor for named pipe creation where the Image is not in System32 or SysWOW64 and the PipeName contains substrings common to Potato attacks ('spoolss', 'epmapper', 'MsFteWds'). For Event ID 1 (ProcessCreate), alert on cmd.exe or PowerShell where the ParentImage is w3wp.exe, sqlservr.exe, or WmiPrvSE.exe and the IntegrityLevel is 'System' -- this combination indicates a successful privilege escalation from a service account to SYSTEM. Test your configuration against the Atomic Red Team T1134 tests before deploying to production to verify detection coverage without alert fatigue.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
