GodPotato Exploit Now Operational with Cobalt Strike BOF

Editor’s Note — Shimi Cohen: GodPotato proved the concept. Offensive tooling keeps turning it into operational reality..

I’m seeing a fresh Cobalt Strike Beacon Object File (BOF) hitting the streets, and it’s a real eye-opener. This BOF is specifically designed to perform privilege escalation by exploiting the SeImpersonate privilege, a classic Windows vulnerability that just keeps giving. What’s particularly interesting is that this isn’t some entirely new exploit; it’s based on the original GodPotato Proof-of-Concept (PoC) developed by BeichenDream.

This development, courtesy of incursi0n’s work on GodPotatoBOF, signifies a critical shift. A PoC demonstrating a vulnerability is one thing, but when it gets weaponized into a tool like a Cobalt Strike BOF, it moves from theoretical to immediately operational. This means red teams and, more disturbingly, actual threat actors now have a ready-made module to drop into their C2 frameworks, making privilege escalation in compromised Windows environments significantly easier and more efficient. It’s a stark reminder that even well-known privilege escalation vectors are still actively being integrated into modern offensive toolkits. Defenders need to stay sharp on SeImpersonate privilege abuse and ensure their detection capabilities are up to snuff.