DSRM
Last updated
Last updated
Directory Services Restore Mode (DSRM) is a safe boot mode which allows emergency access to the Domain Controller for database repairs and recovery. When Active Directory is initially setup the Administrator will be prompted for a password to use for DSRM if ever needed.
Mimikatz can be leveraged here to extract the local administrator (DSRM) hash and after making some registry changes, the hash and account can be used for persistence in the Domain.
DSRM creates a local administrator account on the Domain Controller that is different from the Domain administrator account.
The following lab consists of the following fully patched systems
Windows Server 2019 - Domain Controller
Windows 21H1 - Endpoint
This scenario takes places in the late stage kill chain, where the Domain Administrator's account has been compromised and the adversary has successfully loaded Mimikatz on both the Domain Controller and an endpoint.
Over on the Domain Controller the following commands have been executed using Mimikatz.
We can see below where the Administrator hashes for the local (SAM) and Domain (LSA) accounts are different.
Now, that the DSRM local administrator hash have been obtained, a registry key setting will need to be altered or created on the Domain Controller to enable persistence.
Over on a client endpoint on the network we have Mimikatz running with Domain Administrator privileges.
After this has been executed we see as per the image below a secondary command shell has been opened with the privileges of the local administrator of the Domain Controller on the endpoint Workstation-01.
Regularly change DSRM passwords on all Domain Controllers that run DSRM. Ensuring the passwords are different across controllers.
Monitor for the registry key DsrmAdminLogonBehaviour in HKLM:\System\CurrentControlSet\Control\Lsa\ being set to the value of 1 or 2.
