You don't need to local admin privilege on the remote target if you are in SeBackupPrivilege
If the controlled user has the SeBackupPrivilege, it can dump SAM, SYSTEM, SECURITY and therefore the NTDS.dit on the target system. No admin privs needed!
nxc smb <ip> -u username -p password -M backup_operator
Last updated 9 months ago
Was this helpful?
