Backup Operators is Tier-0: how SeBackupPrivilege dumps your domain
Backup Operators on a domain controller is not a benign IT-ops group. SeBackupPrivilege lets a member read NTDS.dit and dump every hash, KRBTGT included.
A backup right that sounds like routine IT operations is, on a domain controller, the power to dump every credential in the domain.
How the attack works
A member of the Backup Operators group uses SeBackupPrivilege on a domain controller to create a volume shadow copy, then reads the locked NTDS.dit database and the SYSTEM registry hive from that shadow path, bypassing the live-file locks. Taken offline together, those two files yield every account hash in the directory, including KRBTGT. That is the offline equivalent of a full DCSync. With the KRBTGT hash in hand the attacker mints forged Kerberos tickets and moves freely as any principal. In ATT&CK terms this is T1003, OS Credential Dumping, reached through T1078, Valid Accounts.
Why it works
SeBackupPrivilege exists to let backup software read files it does not own, so it deliberately bypasses access controls and file locks. On an ordinary server that is fine. On a domain controller it means anyone holding the privilege can read the entire credential store. The misconfiguration is treating Backup Operators as an ops convenience rather than as a Tier-0 group with domain-secret-dump capability.
How to fix it
You cannot recall an offline copy of the files, so size the response as a full domain credential compromise. Double-reset KRBTGT, spacing the two resets past ticket lifetime so the stolen key is fully retired, then rotate Tier-0 and other exposed credentials and isolate the controller. The root-cause fix is governance: minimize Backup Operators membership, use dedicated hardened backup identities, scope backup rights away from domain controllers where possible, and monitor SeBackupPrivilege use on controllers. The non-obvious move is the double reset; a single KRBTGT reset still lets the attacker forge tickets during the overlap window.
Practice it
We built this as a GraphLattice Range scenario so responders can work the shadow-copy read, recognize it as an offline DCSync, and run the double KRBTGT reset under time pressure.