Ready to learn?

Domain Controller Local Administrator

๐Ÿ”’ย Secure Bits ๐Ÿ’ก
๐——๐—ถ๐—ฑ ๐˜†๐—ผ๐˜‚ ๐—ธ๐—ป๐—ผ๐˜„ ๐˜๐—ต๐—ฒ๐—ฟ๐—ฒโ€™๐˜€ ๐—ฎ ๐—น๐—ผ๐—ฐ๐—ฎ๐—น ๐—”๐—ฑ๐—บ๐—ถ๐—ป๐—ถ๐˜€๐˜๐—ฟ๐—ฎ๐˜๐—ผ๐—ฟ ๐—ฎ๐—ฐ๐—ฐ๐—ผ๐˜‚๐—ป๐˜ ๐—ผ๐—ป ๐——๐—ผ๐—บ๐—ฎ๐—ถ๐—ป ๐—–๐—ผ๐—ป๐˜๐—ฟ๐—ผ๐—น๐—น๐—ฒ๐—ฟ๐˜€?

Yes โ€” itโ€™s theย DSRM accountย (Directory Services Restore Mode), used inย disaster recoveryย scenarios when AD is offline.
But it can also beย abused as a persistence mechanism.

๐Ÿ“Œย ๐—•๐˜† ๐—ฑ๐—ฒ๐—ณ๐—ฎ๐˜‚๐—น๐˜, ๐˜๐—ต๐—ฒ ๐——๐—ฆ๐—ฅ๐—  ๐—ฎ๐—ฐ๐—ฐ๐—ผ๐˜‚๐—ป๐˜:
โ€“ Is local-only
โ€“ Doesnโ€™t allow interactive or network login
โ€“ Stores its password hash in the local SAM
โ€“ Is not visible in AD or subject to normal domain policies

๐Ÿ“Œย ๐—œ๐˜ ๐—ฐ๐—ฎ๐—ป ๐—ฏ๐—ฒ ๐—ฒ๐—ป๐—ฎ๐—ฏ๐—น๐—ฒ๐—ฑ ๐˜‚๐˜€๐—ถ๐—ป๐—ด ๐˜๐—ต๐—ถ๐˜€ ๐—ฟ๐—ฒ๐—ด๐—ถ๐˜€๐˜๐—ฟ๐˜† ๐—ธ๐—ฒ๐˜†:
HKLMSYSTEMCurrentControlSetControlLsa
โ†’ย DsrmAdminLogonBehavior
0ย or missing = login disabled
1ย = allows local login
2ย = allowsย network authenticationย (e.g. NTLM)

๐Ÿ› ๏ธ If an attacker has the DSRM hash and the registry is set toย 2, they can authenticate over the network โ€” even to a Domain Controller.

โœ…ย ๐—•๐—ฒ๐˜€๐˜ ๐—ฝ๐—ฟ๐—ฎ๐—ฐ๐˜๐—ถ๐—ฐ๐—ฒ๐˜€:
โ€“ Change the DSRM password periodically
โ€“ Review the registry key across all DCs
โ€“ Monitor for usage of the DSRM account

๐——๐—ถ๐—ฑ ๐˜†๐—ผ๐˜‚ ๐—ธ๐—ป๐—ผ๐˜„ ๐—ฎ๐—ฏ๐—ผ๐˜‚๐˜ ๐˜๐—ต๐—ถ๐˜€?

๐Ÿ“ Full article by Abdul Mhanni โ€“ https://www.abdulmhsblog.com/posts/dsrmadmin/

buy a course