Complete list of Sneaky Active Directory Persistence Tricks posts <\/a><\/p>\n <\/p>\n The Directory Restore Mode Account<\/strong><\/span><\/p>\n Every Domain Controller has an internal \u201cBreak glass\u201d local administrator account to DC called the Directory Services Restore Mode (DSRM) account. The DSRM password set when DC is promoted and is rarely changed. The primary method to change the DSRM password on a Domain Controller involves running the ntdsutil command line tool.<\/p>\n Beginning with hotfix KB961320<\/a> on Windows Server 2008, there is now the option to synchronize the DSRM password on a DC with a specific domain account. Note that this must be performed every time the password is changed; it does not create an automatic sync partnership.<\/p>\n <\/p>\n Changing the DSRM Account Password:<\/a><\/span><\/p>\n Run the following command on every DC (or remotely against every DC by replacing “null” with DC name)<\/p>\n Synchronize the DSRM Account Password with a Domain Account (2k8 & newer)<\/a>: NTDSUTIL What’s interesting about the DSRM password is that the DSRM account is actually “Administrator”. This means that once an attacker has the DSRM password for a Domain Controller (or DCs), it’s possible to use this account to logon to the Domain Controller over the network as a local administrator.<\/em><\/p>\n We can confirm this with Mimikatz by creating a new AD user with a known password. Set the DSRM acount password sync from the domain user account and compare the hashes.<\/p>\n DSRMTest NTLM Password Hash: 2b391dfc6690cc38547d74b8bd8a5b49 The second graphic shows a local Administrator account on the DC called “Administrator” with the same password hash as the DSRMTest domain user account.<\/p>\n Note: The local SAM file is located here: C:\\Windows\\System32\\config\\SAM<\/p>\n <\/p>\n Using DSRM Credentials<\/b><\/span><\/p>\n Once you know the DSRM account password (local Administrator account on the DC), there are a few tricks to how it can be used.<\/p>\n Logging on to a DC with the DSRM account:<\/span><\/p>\n Access DSRM without Rebooting:<\/p>\n PowerShell New-ItemProperty \u201cHKLM:\\System\\CurrentControlSet\\Control\\Lsa\\\u201d -Name \u201cDsrmAdminLogonBehavior\u201d -Value 2 -PropertyType DWORD<\/p>\n The registry value is located at HKLM\\System\\CurrentControlSet\\Control\\Lsa\\DSRMAdminLogonBehavior. Its possible values are:<\/p>\n The capability of DSRM account credential is explored further in the post “Sneaky Active Directory Persistence #13: DSRM Persistence v2<\/a>“.<\/p>\n <\/p>\n Using DSRM Credentials over the network<\/b><\/span><\/p>\n It is possible to use the DSRM Credentials over the network.<\/p>\n When Windows 2000 and Active Directory were released, DSRM being limited to console logon was a good security method. Today, however, there are several methods to logon to a system “at the console”:<\/p>\n Once logged in as the local DC’s DSRM account (DC local admin), we can confirm we are on a DC and that this is the DC’s local administrator account. not a domain account.<\/p>\n Further proof that this is not a domain account.<\/p>\n <\/p>\n Detection<\/b><\/span><\/p>\n <\/p>\n References:<\/strong><\/span><\/p>\n <\/p>\n","protected":false},"excerpt":{"rendered":" The content in this post describes a method by which an attacker could persist administrative access to Active Directory after having Domain Admin level rights for 5 minutes. I presented on this AD persistence method in Las Vegas at DEF CON 23 (2015). Complete list of Sneaky Active Directory Persistence Tricks posts The Directory … <\/p>\n\n
\n<\/span>In an elevated CMD prompt where you have logged on as a Domain Admin, run:<\/p>\n
\nSET DSRM PASSWORD
\nSYNC FROM DOMAIN ACCOUNT <your user here>
\n<\/i>Q
\nQ<\/p>\n
\nUsing DSRM to Backdoor Active Directory
\n<\/strong><\/span><\/p>\n
\nAdministrator (500) Local Account NTLM Password Hash: 2b391dfc6690cc38547d74b8bd8a5b49<\/p>\n![\"SneakyPersistence-DSRM-Mimikatz-DSRMTeast-And-Administrator\"](\"https:\/\/adsecurity.org\/wp-content\/uploads\/2015\/09\/SneakyPersistence-DSRM-Mimikatz-DSRMTeast-And-Administrator.jpg\")
<\/a><\/p>\n\n
\n
\n
\n
\n
\n
![\"SneakyPersistence-DSRM-RDP-MSTSC-Admin\"](\"https:\/\/adsecurity.org\/wp-content\/uploads\/2015\/09\/SneakyPersistence-DSRM-RDP-MSTSC-Admin.jpg\")
<\/a><\/p>\n![\"SneakyPersistence-DSRM-RDP-MSTSC-Admin-ADSDC01-Administrator-03\"](\"https:\/\/adsecurity.org\/wp-content\/uploads\/2015\/09\/SneakyPersistence-DSRM-RDP-MSTSC-Admin-ADSDC01-Administrator-03.jpg\")
<\/a><\/p>\n![\"SneakyPersistence-DSRM-GetDC-ADSDC01-Whoami-DSRM\"](\"https:\/\/adsecurity.org\/wp-content\/uploads\/2015\/09\/SneakyPersistence-DSRM-GetDC-ADSDC01-Whoami-DSRM.jpg\")
<\/a><\/p>\n![\"SneakyPersistence-DSRM-Not-A-Domain-Admin-On-DC\"](\"https:\/\/adsecurity.org\/wp-content\/uploads\/2015\/09\/SneakyPersistence-DSRM-Not-A-Domain-Admin-On-DC.jpg\")
<\/a><\/p>\n\n
\n
\n
\n