\nI also presented<\/a> and posted on DSRM as a persistence method<\/a> previously.<\/p>\n
Complete list of Sneaky Active Directory Persistence Tricks posts <\/a><\/p>\n Special thanks to Benjamin Delpy<\/a> since the research highlighted on this page wouldn’t have been possible without his valuable input.<\/em><\/span><\/p>\n <\/p>\n The Directory Restore Mode Account<\/strong><\/p>\n Every Domain Controller has an internal \u201cBreak glass\u201d local administrator account to DC called the Directory Services Restore Mode (DSRM) account. The DSRM password is set when a new DC is promoted and the password is rarely changed.<\/p>\n The DSRM account name is “Administrator” and is the Domain Controller\u2019s local admin account. Mimikatz “token::elevate” “lsadump::sam” exit<\/i><\/p>\n Using DSRM Credentials (standard methods)<\/b><\/p>\n Once you know the DSRM account password (local Administrator account on the DC), there are a few tricks to how it can be used.<\/p>\n Logging on to a DC with the DSRM account:<\/p>\n The DSRM Account is a local admin account, so let’s see what else is possible…<\/p>\n <\/p>\n Advanced Method for Using DSRM Credentials (Windows 2012 R2)<\/b><\/p>\n What’s really interesting about this account is that since it’s a valid local administrator account, it can be used to authenticate over the network to the DC (ensure the\u00a0DsrmAdminLogonBehavior regkey is set to 2) . Furthermore, the attacker doesn’t need to know the actual password, all that’s required is the password hash. This means that once an attacker has the password hash for the DSRM account, it can be “passed” to the DC for valid admin access to the DC across the network using Pass-the-Hash. This was tested successfully in limited lab testing on a Windows Server 2008 R2 & 2012 R2 Domain Controllers.<\/p>\n Mimikatz “privilege::debug” “sekurlsa::pth \/domain:ADSDC03 \/user:Administrator \/ntlm:7c08d63a2f48f045971bc2236ed3f3ac” exit Gaining access to a Domain Controller’s file system is nice, but we can do better!<\/p>\n <\/p>\n DSRM PTH to DCSync! Since it is possible to pass-the-hash for the DSRM account, why not leverage this access to pull password data for any domain account using Mimikatz DCSync. We can target the specific Domain Controller and by using the DC’s short name, we force NTLM authentication.
\nWe can confirm this with Mimikatz by dumping the local SAM credentials on a Domain Controller.<\/p>\n![\"SneakyPersistence-DSRM-v2-Dump-DSRM-Local-DCAdministrator-Account\"](\"https:\/\/adsecurity.org\/wp-content\/uploads\/2015\/09\/SneakyPersistence-DSRM-v2-Dump-DSRM-Local-DCAdministrator-Account.jpg\")
<\/a><\/p>\n\n
\n
\n
\n<\/i><\/p>\n![\"SneakyPersistence-DSRM-v2-Dump-DSRM-Local-DCAdministrator-Account-PTH-Connect-DriveC\"](\"https:\/\/adsecurity.org\/wp-content\/uploads\/2015\/09\/SneakyPersistence-DSRM-v2-Dump-DSRM-Local-DCAdministrator-Account-PTH-Connect-DriveC.jpg\")
<\/a><\/p>\n
\n<\/b><\/p>\n
\nMimikatz “lsadump::dcsync \/domain:lab.adsecurity.org \/dc:adsdc03 \/user:krbtgt<\/em><\/p>\n
![\"SneakyPersistence-DSRM-v2-Dump-DSRM-Local-DCAdministrator-Account-PTH-DCSync-For-KRBTGT\"](\"https:\/\/adsecurity.org\/wp-content\/uploads\/2015\/09\/SneakyPersistence-DSRM-v2-Dump-DSRM-Local-DCAdministrator-Account-PTH-DCSync-For-KRBTGT.jpg\")
<\/a><\/p>\n