Directory Service Restore Mode(DSRM) Registry Value Tampering
Detects changes to "DsrmAdminLogonBehavior" registry value. During a Domain Controller (DC) promotion, administrators create a Directory Services Restore Mode (DSRM) local administrator account with a password that rarely changes. The DSRM account is an “Administrator” account that logs in with the DSRM mode when the server is booting up to restore AD backups or recover the server from a failure. Attackers could abuse DSRM account to maintain their persistence and access to the organization's Active Directory. If the "DsrmAdminLogonBehavior" value is set to "0", the administrator account can only be used if the DC starts in DSRM. If the "DsrmAdminLogonBehavior" value is set to "1", the administrator account can only be used if the local AD DS service is stopped. If the "DsrmAdminLogonBehavior" value is set to "2", the administrator account can always be used.
Sigma rule (View on GitHub)
1title: Directory Service Restore Mode(DSRM) Registry Value Tampering
2id: b61e87c0-50db-4b2e-8986-6a2be94b33b0
3related:
4 - id: 53ad8e36-f573-46bf-97e4-15ba5bf4bb51
5 type: similar
6status: experimental
7description: |
8 Detects changes to "DsrmAdminLogonBehavior" registry value.
9 During a Domain Controller (DC) promotion, administrators create a Directory Services Restore Mode (DSRM) local administrator account with a password that rarely changes. The DSRM account is an “Administrator” account that logs in with the DSRM mode when the server is booting up to restore AD backups or recover the server from a failure.
10 Attackers could abuse DSRM account to maintain their persistence and access to the organization's Active Directory.
11 If the "DsrmAdminLogonBehavior" value is set to "0", the administrator account can only be used if the DC starts in DSRM.
12 If the "DsrmAdminLogonBehavior" value is set to "1", the administrator account can only be used if the local AD DS service is stopped.
13 If the "DsrmAdminLogonBehavior" value is set to "2", the administrator account can always be used.
14references:
15 - https://adsecurity.org/?p=1785
16 - https://www.sentinelone.com/blog/detecting-dsrm-account-misconfigurations/
17 - https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dsrm-credentials
18author: Nischal Khadgi
19date: 2024-07-11
20tags:
21 - attack.persistence
22 - attack.t1556
23logsource:
24 category: registry_set
25 product: windows
26detection:
27 selection:
28 TargetObject|endswith: '\Control\Lsa\DsrmAdminLogonBehavior'
29 filter_main_default_value:
30 Details: 'DWORD (0x00000000)' # Default value
31 condition: selection and not 1 of filter_main_*
32falsepositives:
33 - Unknown
34level: high
References
-
The content in this post describes a method by which an attacker could persist administrative access to Active Directory after having Domain Admin level rights for 5 minutes. I presented on this AD...
Read More -
The Attivo ADAssessor solution detects DSRM account misconfigurations and alerts when DSRM login is enabled, or the account is activated.
Read More -
DSRM Credentials There is a local administrator account inside each DC. Having admin privileges in this machine you can use mimikatz to dump the local Administrator hash. Then, modifying a registry...
Read More
Related rules
- AWS Identity Center Identity Provider Change
- CA Policy Removed by Non Approved Actor
- CA Policy Updated by Non Approved Actor
- Certificate-Based Authentication Enabled
- Change to Authentication Method