Se restore module - WinRM Priv Esc

[rhymenaucerous]

Description

I saw the issue linked above and decided to take a swing at it. This module uses WinRM to deploy a privilege escalation tool, using the SeRestorePrivilege, to the target and run it.

I made modifications to the original SeRestoreAbuse exploit by https://github.com/xct/SeRestoreAbuse because it wasn't working in the Win 11 environment that I was testing it in.

The repo was forked and a couple of changes were made (more detail at: https://github.com/rhymenaucerous/SeRestoreAbuse):

• Triggers seclogon service via Win32 API call of CreateProcessAsUserW()
• Resets the seclogon registry key following SYSTEM code execution so that the service will run normally after exploit has run
• Creates admin user attacker:password123 (Command cannot be modified for this module - would need to update C source file, rebuild VS project, and then add new exe to nxc's data repo)

The only dependency is the listed tool.

Closes #793

AI Disclosure

I used Copilot with Claude Opus 4.6 to help me write the module. It wrote most of the code for this module. I reviewed all the code that was written and made edits.

It did not write any of the code for the privilege escalation tool itself.

It did not do any of the module testing.

It did not write any of this PR.

Type of change

Insert an "x" inside the brackets for relevant items (do not delete options)

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Deprecation of feature or functionality
• This change requires a documentation update
• This requires a third party update (such as Impacket, Dploot, lsassy, etc)
• This PR was created with the assistance of AI (list what type of assistance, tool(s)/model(s) in the description)

Setup guide for the review

This module was tested on Windows 10 Pro (Ver 22H2 OS Build 19045.6466) and Windows 11 Pro (Ver 25H2 OS Build 26200.7840). Setup instructions:

• The workstation must have a user with the following accesses/privileges:

  • SeRestorePrivilege
  • Ability to connect via WinRM
  • The target machine must be reachable from the workstation running NetExec

• Setup

  • SeRestorePrivilege:
    Create a user:

  net user /add testuser password

  Open GUI for setting policy:

  secpol.msc

  Assign SeRestorePrivilege to your newly created user:
  Local Policies -> User Rights Assignment -> Restore Files and Directories -> Add User or Group -> Then add your new user

  • Ability to connect via WinRM:
    Enable WinRM:

  Enable-PSRemoting

  It's possible that your workstation will be set up on a public network which will prevent Enable-PSRemoting from working. Use the following commands to make your connection private (you should not do this if you do not own the network):

  Get-NetConnectionProfile
  Set-NetConnectionProfile -InterfaceIndex "<Value from previous command>" -NetworkCategory Private

  • The target machine must be reachable from the workstation running NetExec:
    If the device is not pingable from the workstation running nxc, create an inbound firewall rule:

  New-NetFirewallRule -DisplayName "nxc connections" -Direction Inbound -Action Allow -Protocol Any -RemoteAddress "<IP from which the controller will connect>" -PolicyStore PersistentStore

Screenshots:

Figure 1. Environment confirmation before testing exploit.

Figure 2. Confirmation that exploit works as expected.

Checklist:

Insert an "x" inside the brackets for completed and relevant items (do not delete options)

• I have ran Ruff against my changes (poetry: poetry run ruff check ., use --fix to automatically fix what it can)
• I have added or updated the tests/e2e_commands.txt file if necessary (new modules or features are required to be added to the e2e tests)
• If reliant on changes of third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
• I have linked relevant sources that describes the added technique (blog posts, documentation, etc)
• I have performed a self-review of my own code (not an AI review)
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation (PR here: https://github.com/Pennyw0rth/NetExec-Wiki)

[NeffIsBack]

Thanks for the PR!

Much appreciated that level of detail and thoroughness of the PR description, exactly how it is supposed to look like (especially the setup guide for the review). Makes reviewing a heck of a lot easier!

Please also include the source code of the binary in that dir so people, including me, can look at the code themselves and if needed recompile it. Perhaps also include a comment (probably at the top of the file) in the source code linking to your repo so people can look up how to build it etc.

[rhymenaucerous]

Thanks so much!

I've just now included the header and source files for the project from my repo.

Please let me know if there's anything else you need or if you have any questions.

[NeffIsBack]

A few small things, mostly formatting.

[rhymenaucerous]

There was only one comment that I didn't understand but I believe I've made all other changes that you requested.

Thanks so much and please let me know if there's anything else or anything that I didn't fix properly!

[NeffIsBack]

There was only one comment that I didn't understand but I believe I've made all other changes that you requested.

Thanks so much and please let me know if there's anything else or anything that I didn't fix properly!

No worries, looking good so far, and thank you for the PR :)

Please be aware that it might take ages for me to test this PR because a lot has piled up by now. We will get there some day tho, i promise :D