Domain and Local Groups

Backup Operators

Members of the Backup Operators group may create privileged backups of any file on the system, including the HKLM\SAM and HKLM\SECURITY registry hives. These hives contain the NTLM password hashes of all local users on the system, including the local Administrator account.

The attack has been highly automated through nxc:

nxc smb 10.10.10.10 -u backupop -p password -M backup_operator
PreviousWindows Privilege EscalationNextUser Privileges

Last updated