diff --git a/artifacts/_template.yml b/artifacts/_template.yml index 5094d20..8cf61be 100644 --- a/artifacts/_template.yml +++ b/artifacts/_template.yml @@ -129,4 +129,4 @@ contribution: date_added: "2025-01-15" last_updated: "2025-01-15" version: "1.0" - reviewed_by: "Reviewer Name" # Optional + reviewed_by: "Reviewer Name" # Optional \ No newline at end of file diff --git a/artifacts/persistence-methods/Dsrm_Admin_Logon_Behaviour.yml b/artifacts/persistence-methods/Dsrm_Admin_Logon_Behaviour.yml new file mode 100644 index 0000000..9147af1 --- /dev/null +++ b/artifacts/persistence-methods/Dsrm_Admin_Logon_Behaviour.yml @@ -0,0 +1,105 @@ +title: "DSRM Admin Logon Behavior Registry Key" +category: "persistence-methods" + +description: "Directory Services Restore Mode (DSRM) administrator account logon configuration - values of 1 or 2 indicate guaranteed compromise and persistence over Active Directory forest" + +paths: + - "HKLM\\System\\CurrentControlSet\\Control\\Lsa\\DsrmAdminLogonBehavior" + +details: + what: | + The DsrmAdminLogonBehavior registry key controls the behavior of the Directory Services Restore Mode (DSRM) administrator account. + Normally (and almost always) this key is either non-existent OR set to 0. This means the DSRM admin account cannot + logon locally OR over the network. If the key is set to 1, the DSRM admin account can logon locally, and if set to 2, + network authentication is allowed. This configuration is extremely rare in normal environments and indicates compromise. + + forensic_value: | + This artifact proves that someone had the privileges to edit the Domain Controller registry and alter critical security settings. + The DSRM account functions as a local administrator, enabling DC sync attacks, hash/key/secret extraction, DPAPI backup master key access, + domain controller policy modification, and ultimately complete forest compromise. This includes compromising RODCs and lateral movement. + + structure: | + The DsrmAdminLogonBehavior key is a DWORD value located at: + HKLM\System\CurrentControlSet\Control\Lsa\DsrmAdminLogonBehavior + + Values: + - 0: DSRM admin account cannot log on locally or over the network (default/secure) + - 1: DSRM admin account can log on locally + - 2: DSRM admin account can log on over the network + + examples: + - "reg query HKLM\\System\\CurrentControlSet\\Control\\Lsa /v DsrmAdminLogonBehavior" + - "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa" + - "DsrmAdminLogonBehavior REG_DWORD 0x1" + + tools: + - name: "reg query" + description: "Windows Registry query command - currently no forensic tools specifically detect this artifact" + - name: "Registry Explorer" + description: "Manual registry analysis tool" + +limitations: + - "Does not indicate when the original compromise occurred" + - "No known false positives - presence of value 1 or 2 indicates compromise" + - "Cannot identify who performed the change without additional logging" + +correlation: + required_for_definitive_conclusions: + - "Windows Event Logs analysis for registry modification events" + - "Sysmon logs for registry change detection" + - "Timeline analysis with other persistence artifacts" + + strengthens_evidence: + - "Search for DsrmAdminLogonBehavior in Windows Event Logs for timestamp/user attribution" + - "Sysmon Event ID 13 (registry value set) for detailed modification tracking" + - "Correlation with other Active Directory persistence techniques" + +metadata: + windows_versions: + - "Windows Server 2008 R2" + - "Windows Server 2012" + - "Windows Server 2012 R2" + - "Windows Server 2016" + - "Windows Server 2019" + - "Windows Server 2022" + + introduced: "Windows Server 2008" + criticality: "high" + + investigation_types: + - "incident-response" + - "behavioral-analysis" + - "insider-threat" + - "persistence-analysis" + - "privilege-escalation" + - "credential-theft" + - "lateral-movement" + - "remote-access" + + tags: + - "active-directory" + - "domain-controller" + - "dsrm-persistence" + - "registry-forensics" + - "high-severity" + + references: + - title: "Beyond The MCSE: Active Directory For The Security Professional" + url: "https://www.blackhat.com/docs/us-16/materials/us-16-Metcalf-Beyond-The-MCSE-Active-Directory-For-The-Security-Professional.pdf" + type: "research" + + retention: + default_location: "System Registry" + persistence: "Survives reboots and system cleaning" + volatility: "Persistent until explicitly deleted" + +author: + name: "Abdul Mhanni" + github: "ThatTotallyRealMyth" + linkedin: "https://www.linkedin.com/in/abdulmhanni/" + email: "abdul.mhanni@gmail.com" + +contribution: + date_added: "2025-01-15" + last_updated: "2025-01-15" + version: "1.0"