EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Directory Service Restore Mode(DSRM) Registry Value Tampering

Detects changes to "DsrmAdminLogonBehavior" registry value. During a Domain Controller (DC) promotion, administrators create a Directory Services Restore Mode (DSRM) local administrator account with a password that rarely changes. The DSRM account is an “Administrator” account that logs in with the DSRM mode when the server is booting up to restore AD backups or recover the server from a failure. Attackers could abuse DSRM account to maintain their persistence and access to the organization's Active Directory. If the "DsrmAdminLogonBehavior" value is set to "0", the administrator account can only be used if the DC starts in DSRM. If the "DsrmAdminLogonBehavior" value is set to "1", the administrator account can only be used if the local AD DS service is stopped. If the "DsrmAdminLogonBehavior" value is set to "2", the administrator account can always be used.

MITRE ATT&CK

T1556
defense-evasioncredential-accesspersistence

Detection Query

selection:
  TargetObject|endswith: \Control\Lsa\DsrmAdminLogonBehavior
filter_main_default_value:
  Details: DWORD (0x00000000)
condition: selection and not 1 of filter_main_*

Author

Nischal Khadgi

Created

2024-07-11

Data Sources

windowsRegistry Set Events

Platforms

windows

References

Tags

attack.defense-evasionattack.credential-accessattack.persistenceattack.t1556
Raw Content
title: Directory Service Restore Mode(DSRM) Registry Value Tampering
id: b61e87c0-50db-4b2e-8986-6a2be94b33b0
related:
    - id: 53ad8e36-f573-46bf-97e4-15ba5bf4bb51
      type: similar
status: test
description: |
    Detects changes to "DsrmAdminLogonBehavior" registry value.
    During a Domain Controller (DC) promotion, administrators create a Directory Services Restore Mode (DSRM) local administrator account with a password that rarely changes. The DSRM account is an “Administrator” account that logs in with the DSRM mode when the server is booting up to restore AD backups or recover the server from a failure.
    Attackers could abuse DSRM account to maintain their persistence and access to the organization's Active Directory.
    If the "DsrmAdminLogonBehavior" value is set to "0", the administrator account can only be used if the DC starts in DSRM.
    If the "DsrmAdminLogonBehavior" value is set to "1", the administrator account can only be used if the local AD DS service is stopped.
    If the "DsrmAdminLogonBehavior" value is set to "2", the administrator account can always be used.
references:
    - https://adsecurity.org/?p=1785
    - https://www.sentinelone.com/blog/detecting-dsrm-account-misconfigurations/
    - https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dsrm-credentials
author: Nischal Khadgi
date: 2024-07-11
tags:
    - attack.defense-evasion
    - attack.credential-access
    - attack.persistence
    - attack.t1556
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Control\Lsa\DsrmAdminLogonBehavior'
    filter_main_default_value:
        Details: 'DWORD (0x00000000)' # Default value
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high