📄️ SeBackupPrivilege
The SeBackupPrivilege is a user right in Windows that allows members of the Backup Operators group to bypass file security to back up files and directories. It enables users to read and back up files regardless of permissions. This privilege is essential for creating backups but also comes with significant security risks if misused. It's typically assigned to system administrators or backup operators.
📄️ Event Log Readers
Event Log Readers is a Windows user group that grants permission to read system and application event logs. It allows users to monitor security events, troubleshoot issues, and analyze system activity without full admin rights. Members can access logs via Event Viewer (eventvwr.msc) or PowerShell (Get-EventLog, Get-WinEvent). This group is useful for auditors, security analysts, and administrators who need log access without elevated privileges.
📄️ DnsAdmins
DnsAdmins is a Windows user group that grants administrative control over the DNS Server service.\
📄️ Hyper-V Administrators
The Hyper-V Administrators group grants full control over Hyper-V virtual machines without requiring administrative privileges. Members can create, modify, and execute VMs, which can be abused for privilege escalation by booting custom OS images or accessing disk files of privileged VMs. Attackers can use it to extract credentials, modify system configurations, or escape to the host system. If misconfigured, it can lead to full host compromise from a low-privileged user.
📄️ Print Operators
The Print Operators group has administrative privileges over printers and can install drivers (SeLoadDriverPrivilege), including malicious ones. Members can escalate privileges by loading unsigned drivers, which execute with SYSTEM privileges. Attackers can exploit this by DLL hijacking or abusing printer spooler services. If misconfigured, it can lead to full system compromise through privilege escalation techniques like CVE-2020-1048 (PrintDemon).
📄️ Server Operators
The Server Operators group has broad administrative privileges, including managing services, shares, and local users, but without full administrator rights. Members can start/stop services, modify files, and even execute code with elevated privileges. Attackers can abuse these privileges to modify system services, replace executables, or schedule malicious tasks for privilege escalation. If misconfigured, it can lead to full system takeover by leveraging service abuse or privilege token manipulation.