Service account → SYSTEM via named-pipe impersonation
Service-context shell has SeImpersonatePrivilege. Use Potato-family tools (Juicy / Rogue / Print / God) to coerce SYSTEM to authenticate to an attacker-controlled named pipe, then impersonate the token.
§ Context
Assumed environment: foothold under a Windows service account (IIS pool, SQL Server, etc.) with default service privileges including SeImpersonatePrivilege.
§ Steps
- 01Service shell (IIS / MSSQL / etc.)Initial AccessT1078— Valid Accounts
- 02SYSTEM shellExecutionT1059— Command and Scripting Interpreter
- 03whoami /priv → confirm SeImpersonateDiscoveryT1087— Account Discovery
- 04Run GodPotato / JuicyPotatoNGPrivilege EscalationW-NAMED-PIPE-IMP— Named Pipe Impersonation
- 05Dump LSASS for cached domain credsCredential AccessW-LSASS-PROCDUMP— LSASS via procdump / comsvcs.dll
§ References
§ Frequently asked
- What is the "Service account → SYSTEM via named-pipe impersonation" attack path?
- Service-context shell has SeImpersonatePrivilege. Use Potato-family tools (Juicy / Rogue / Print / God) to coerce SYSTEM to authenticate to an attacker-controlled named pipe, then impersonate the token. It chains 5 steps drawn from real-world offensive-security techniques.
- What starting position does this attack require?
- The first step is Service shell (IIS / MSSQL / etc.) (T1078) — a initial access primitive. Assumed environment: foothold under a Windows service account (IIS pool, SQL Server, etc.
- What is the final impact of this kill-chain?
- The final step lands on Dump LSASS for cached domain creds (W-LSASS-PROCDUMP), which falls under Credential Access. From here, an operator typically pivots into post-exploitation or maintains persistence.
- How can defenders detect or prevent this attack?
- Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.
§ Related dossiers
- Shared techniques3
BYOVD → kernel-level disable of EDR callbacks
From local admin, load a signed-but-vulnerable driver. Use its kernel primitive to walk the EDR's PsSetCreateProcessNotifyRoutine entries and unlink them — EDR stops receiving events while still 'running'.
- Shared techniques3
UAC bypass → elevated admin on a workstation
Standard medium-integrity admin user runs fodhelper / silentcleanup / computerdefaults auto-elevate bypass — gets a high-integrity session without a UAC prompt.
- Shared techniques3
sudo NOPASSWD on a shell-spawner → root
User has sudo NOPASSWD on a binary that can shell out (vi, less, awk, perl, python). Use the binary's escape sequence to drop into a root shell.
- Shared techniques2
io_uring UAF → modprobe_path overwrite → root
Use an io_uring UAF to land arbitrary kernel write, repoint /proc/sys/kernel/modprobe to an attacker binary, then trigger a kernel auto-modprobe — runs the binary as root.
- Shared techniques2
nf_tables UAF → kernel R/W → root
CVE-2024-1086-class nf_tables UAF reachable from a user namespace. Win the race with userfaultfd to land an attacker object in the freed slot, build a kernel R/W primitive, overwrite the current task's cred struct.
- Shared techniques2
Process doppelgänging → spawn signed image with attacker bytes
Use NTFS transactional file APIs to overlay an attacker image during process creation. The final mapped process differs from the on-disk file — AV sees only the legit signed image at scan time.