Commonly Abused Windows Token Privileges: SeRestorePrivilege

SeRestorePrivilege — Restore files and directories

Determines which users can bypass file, directory, registry, and other persistent object permissions when they restore backed up files and directories, and it determines which users can set valid security principals as the owner of an object.

GPO Setting Path

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

GPO Setting Name

Restore files and directories

Token Privilege

SeRestorePrivilege

Associated ATT&CK Tactic(s)

Privilege Escalation (TA0004), Defense Evasion (TA0005), Collection (TA0009), Impact (TA0040)