PrintNightmare (CVE-2021-34527) allowed any authenticated user to achieve SYSTEM privileges. Juicy Potato abuses COM authentication to escalate from a service account to SYSTEM. These attacks are real and devastating. This lesson dissects the mechanics of classic Windows privilege escalation techniques—so you can configure defenses that actually block them, and detect them in progress.
The 'Potato' family (Hot Potato, Rotten Potato, Juicy Potato) exploits the fact that services running with NT AUTHORITY\SYSTEM have the SeImpersonatePrivilege. By coercing a SYSTEM process to connect to a malicious named pipe or COM server, the attacker can impersonate the token and execute arbitrary code as SYSTEM. The core defense: ensure services that don't need impersonation run with a restricted token (e.g., using service SIDs or running under a lower-privilege account).
If a compromised service has this privilege enabled, a Potato attack can escalate to SYSTEM. Restricting this privilege is a priority.
PrintNightmare exploited an RPC call in the Print Spooler to load a malicious DLL, granting SYSTEM code execution remotely. The fix: disable the Print Spooler service on all non-print servers, and apply the patches that restrict Point and Print driver installation. GPO settings 'Package Point and Print – Allowed servers' and 'Restrict Driver Installation to Administrators' are essential.
# Disable Print Spooler via GPO or direct command
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
# Also via registry to be safe
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Spooler" -Name Start -Value 4| Attack | Vulnerability | Primary Defense |
|---|---|---|
| Juicy Potato | SeImpersonatePrivilege on service | Restrict privilege, use service SIDs, avoid running as SYSTEM |
| PrintNightmare | Print Spooler RCE | Disable Spooler on non-print servers, apply patch, restrict driver install |
| SeBackupPrivilege abuse | Backup privilege allows reading SAM | Remove SeBackupPrivilege from non-backup accounts |
Enable advanced audit policy: Audit Privilege Use (Success, Failure). This generates Event ID 4672 (special privileges assigned to new logon) and 4673 (privileged service called). Monitor for SeImpersonatePrivilege being used by unexpected processes. Sysmon can also log named pipe connections. Correlate with process creation events to spot the token kidnapping chain.
⚠️ Even with patches, misconfigured COM and DCOM permissions can enable other potato variants. Regularly review COM object permissions using the 'dcomcnfg' tool.
Verify exercises to earn ★ 200 XP and unlock next lab level.