The BackupOperatorToolkit contains different techniques allowing you to escalate from Backup Operator to Domain Admin.

Usage

The BackupOperatorToolkit (BOT) has 4 different mode that allows you to escalate from Backup Operator to Domain Admin.
Use “runas.exe /netonly /user:domain.dkbackupoperator powershell.exe” before running the tool.

DSRM Mode

The DSRM mode will set the DsrmAdminLogonBehavior

DUMP Mode

The DUMP mode will dump the SAM, SYSTEM, and SECURITY hives to a local path on the remote host or upload the files to a network share.
Once the hives have been dumped you could PtH with the Domain Controller hash, crack DSRM and enable network auth, or possibly authenticate with another account found in the dumps. Accounts from other forests may be stored in these files, I’m not sure why but this has been observed on engagements with

IFEO Mode

The IFEO (Image File Execution Options) will enable you to run an application when a specifc process is terminated.
This could grant a shell before the SERVICE mode will in case the target host is heavily utilized and rarely rebooted.
The executable will be running as a child to the WerFault.exe process.

.BackupOperatorToolkit.exe IFEO notepad.exe \PathTopwn.exe \TARGET.DOMAIN.DK