Inferensys

Glossary

Token Impersonation

A Windows privilege escalation technique where an attacker uses the SeImpersonatePrivilege to assume the security context of a different logged-on user, often escalating to SYSTEM.
Engineer optimizing context window usage on laptop, token usage charts visible, technical work session.
PRIVILEGE ESCALATION TECHNIQUE

What is Token Impersonation?

Token Impersonation is a Windows security vulnerability where an attacker leverages the SeImpersonatePrivilege to assume the security context of a different logged-on user, often escalating privileges to SYSTEM.

Token Impersonation is a post-exploitation technique in Windows environments where a process with the SeImpersonatePrivilege creates a thread that adopts the access token of a different user. This allows an attacker to execute code with the identity and privileges of the target user, most commonly escalating from a local service account to the highly privileged NT AUTHORITY\SYSTEM context.

The attack typically exploits services running as NETWORK SERVICE or LOCAL SERVICE, which inherently possess the SeImpersonatePrivilege. Attackers use tools like RoguePotato or PrintSpoofer to coerce a privileged process into authenticating to a malicious named pipe, capturing the resulting token to achieve full system compromise.

ATTACK VECTORS

Common Token Impersonation Techniques

Token impersonation attacks exploit the Windows security model to assume the identity of another user. These techniques leverage the SeImpersonatePrivilege to escalate from a compromised service account to NT AUTHORITY\SYSTEM.

01

Potato Family Exploits

A series of NTLM reflection and relay attacks that force a privileged process to authenticate to a malicious listener, capturing the token for impersonation.

  • Hot Potato: Exploits HTTP-to-SMB NTLM relay and a race condition in the WebDAV redirector.
  • Rotten Potato: Abuses the AcceptSecurityContext API to force a SYSTEM-level COM service to authenticate.
  • Juicy Potato: A more reliable variant that uses a CLSID lookup to trigger a COM server under SYSTEM context.
  • PrintSpoofer: Exploits the RpcRemoteFindFirstPrinterChangeNotification function to force a SYSTEM process to connect to a named pipe.
SYSTEM
Target Privilege Level
02

Named Pipe Impersonation

A technique where an attacker creates a named pipe server and coerces a higher-privileged client to connect to it. The ImpersonateNamedPipeClient API call then allows the server to assume the security context of the connected client.

  • The attacker typically uses a printer bug or PetitPotam to force the SYSTEM account to authenticate to the malicious pipe.
  • This method is highly effective against unpatched domain controllers and is a core component of many local privilege escalation chains.
PetitPotam
Common Coercion Method
03

Token Duplication via Direct API Calls

Instead of coercing a connection, an attacker with SeDebugPrivilege can directly enumerate and duplicate tokens from running processes.

  • Process Hacker / Mimikatz: Tools that use OpenProcessToken and DuplicateTokenEx to create a primary token for spawning a new process.
  • Parent PID Spoofing: Combining token duplication with process creation to make a malicious process appear to be a child of a legitimate SYSTEM process.
  • This technique requires high initial privileges but provides a direct path to SYSTEM without network coercion.
SeDebugPrivilege
Required Initial Privilege
04

Service Account to SYSTEM Escalation

Many service accounts, such as IIS APPPOOL\DefaultAppPool or NETWORK SERVICE, are granted SeImpersonatePrivilege by default. An attacker who gains code execution in this context can immediately escalate to SYSTEM.

  • Web Shell Scenario: A web shell running under the IIS worker process can execute a Potato exploit to gain full system control.
  • SQL Server Scenario: An attacker with xp_cmdshell access running as a service account can use token impersonation to break out of the database process isolation.
  • This attack vector is a primary reason why service hardening and least-privilege configurations are critical.
IIS / SQL
Common Initial Vectors
TOKEN IMPERSONATION SECURITY

Frequently Asked Questions

Clear, technical answers to the most common questions about Windows token impersonation attacks, privilege escalation mechanics, and the defensive controls that mitigate them.

Token impersonation is a Windows privilege escalation technique where an attacker leverages the SeImpersonatePrivilege to assume the security context of a different logged-on user, often escalating from a low-privilege service account to NT AUTHORITY\SYSTEM. The attack works by locating a process running under a target security context, opening its primary token with OpenProcessToken(), duplicating it with DuplicateTokenEx() to create an impersonation token, and then spawning a new process or thread using CreateProcessWithTokenW() that inherits the stolen identity. This technique is particularly dangerous because it does not require credential theft—the attacker simply borrows an existing authenticated session. Common exploitation tools include JuicyPotato, RoguePotato, and PrintSpoofer, which coerce privileged processes into authenticating to attacker-controlled named pipes, providing a token that can be impersonated.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.