Directory Service Restore Mode(DSRM) Registry Value Tampering

calendar Oct 23, 2025 · attack.defense-evasion attack.credential-access attack.persistence attack.t1556  ·
Share on: linkedin copy

Detects changes to "DsrmAdminLogonBehavior" registry value. During a Domain Controller (DC) promotion, administrators create a Directory Services Restore Mode (DSRM) local administrator account with a password that rarely changes. The DSRM account is an “Administrator” account that logs in with the DSRM mode when the server is booting up to restore AD backups or recover the server from a failure. Attackers could abuse DSRM account to maintain their persistence and access to the organization's Active Directory. If the "DsrmAdminLogonBehavior" value is set to "0", the administrator account can only be used if the DC starts in DSRM. If the "DsrmAdminLogonBehavior" value is set to "1", the administrator account can only be used if the local AD DS service is stopped. If the "DsrmAdminLogonBehavior" value is set to "2", the administrator account can always be used.

Sigma rule (View on GitHub)

 1title: Directory Service Restore Mode(DSRM) Registry Value Tampering
 2id: b61e87c0-50db-4b2e-8986-6a2be94b33b0
 3related:
 4    - id: 53ad8e36-f573-46bf-97e4-15ba5bf4bb51
 5      type: similar
 6status: test
 7description: |
 8    Detects changes to "DsrmAdminLogonBehavior" registry value.
 9    During a Domain Controller (DC) promotion, administrators create a Directory Services Restore Mode (DSRM) local administrator account with a password that rarely changes. The DSRM account is an “Administrator” account that logs in with the DSRM mode when the server is booting up to restore AD backups or recover the server from a failure.
10    Attackers could abuse DSRM account to maintain their persistence and access to the organization's Active Directory.
11    If the "DsrmAdminLogonBehavior" value is set to "0", the administrator account can only be used if the DC starts in DSRM.
12    If the "DsrmAdminLogonBehavior" value is set to "1", the administrator account can only be used if the local AD DS service is stopped.
13    If the "DsrmAdminLogonBehavior" value is set to "2", the administrator account can always be used.    
14references:
15    - https://adsecurity.org/?p=1785
16    - https://www.sentinelone.com/blog/detecting-dsrm-account-misconfigurations/
17    - https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dsrm-credentials
18author: Nischal Khadgi
19date: 2024-07-11
20tags:
21    - attack.defense-evasion
22    - attack.credential-access
23    - attack.persistence
24    - attack.t1556
25logsource:
26    category: registry_set
27    product: windows
28detection:
29    selection:
30        TargetObject|endswith: '\Control\Lsa\DsrmAdminLogonBehavior'
31    filter_main_default_value:
32        Details: 'DWORD (0x00000000)' # Default value
33    condition: selection and not 1 of filter_main_*
34falsepositives:
35    - Unknown
36level: high

References

  • Sneaky Active Directory Persistence #13: DSRM Persistence v2

    The content in this post describes a method by which an attacker could persist administrative access to Active Directory after having Domain Admin level rights for 5 minutes. I presented on this AD persistence method at DerbyCon (2015). I also presented and posted on DSRM as a persistence method previously. Complete list of Sneaky Active ...


    Read More

  • Detecting DSRM Account Misconfigurations

    The Attivo ADAssessor solution detects DSRM account misconfigurations and alerts when DSRM login is enabled, or the account is activated.


    Read More

  • DSRM Credentials - HackTricks

    Reading time: 3 minutes tip Learn & practice AWS Hacking: HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Learn & practic...


    Read More

Related rules

to-top