Backup Operator accounts are ubiquitous and often overlooked by both blue and red teams.These accounts have abusable permissions and are rarely maintained properly.In this talk we will examine and demonstrate novel techniques to stealthily compromise Active Directory through the Backup Operator’s account.We will use the Backup Operator account to gain local Admin privilege, establish persistence, and pivot laterally throughout a domain.However, all is not lost in that we can further lockdown our systems and enable auditing measures to deter and detect these attacks.
Dave Mayer is a Senior Security Consultant with InGuardians, specializing in Red Teaming and Penetration Testing. Previously he was on the Red Team for a global financial organization where he performed Red Team engagements, internal and external penetration tests, and product testing. Prior to that he worked within healthcare as an Information Security Generalist.