Skip to content

Used new template for DsrmAdminLogonBehaviour reg artifact #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tonmoy0010 merged 3 commits into from
Jun 14, 2025
Merged

Used new template for DsrmAdminLogonBehaviour reg artifact #5

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
c8cbae8
added DsrmAdminlogonBehaviour artifact
ThatTotallyRealMyth Jun 14, 2025
f88ee3f
final commit
ThatTotallyRealMyth Jun 14, 2025
bb08761
Update Dsrm_Admin_Logon_Behaviour.yml
tonmoy0010 Jun 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion artifacts/_template.yml
View file
Open in desktop

@tonmoy0010 tonmoy0010 Jun 14, 2025

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed

Original file line number Diff line number Diff line change
Expand Up @@ -129,4 +129,4 @@ contribution:
date_added: "2025-01-15"
last_updated: "2025-01-15"
version: "1.0"
reviewed_by: "Reviewer Name" # Optional
reviewed_by: "Reviewer Name" # Optional
105 changes: 105 additions & 0 deletions artifacts/persistence-methods/Dsrm_Admin_Logon_Behaviour.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,105 @@
title: "DSRM Admin Logon Behavior Registry Key"
category: "persistence-methods"

description: "Directory Services Restore Mode (DSRM) administrator account logon configuration - values of 1 or 2 indicate guaranteed compromise and persistence over Active Directory forest"

paths:
- "HKLM\\System\\CurrentControlSet\\Control\\Lsa\\DsrmAdminLogonBehavior"

details:
what: |
The DsrmAdminLogonBehavior registry key controls the behavior of the Directory Services Restore Mode (DSRM) administrator account.
Normally (and almost always) this key is either non-existent OR set to 0. This means the DSRM admin account cannot
logon locally OR over the network. If the key is set to 1, the DSRM admin account can logon locally, and if set to 2,
network authentication is allowed. This configuration is extremely rare in normal environments and indicates compromise.

forensic_value: |
This artifact proves that someone had the privileges to edit the Domain Controller registry and alter critical security settings.
The DSRM account functions as a local administrator, enabling DC sync attacks, hash/key/secret extraction, DPAPI backup master key access,
domain controller policy modification, and ultimately complete forest compromise. This includes compromising RODCs and lateral movement.

structure: |
The DsrmAdminLogonBehavior key is a DWORD value located at:
HKLM\System\CurrentControlSet\Control\Lsa\DsrmAdminLogonBehavior

Values:
- 0: DSRM admin account cannot log on locally or over the network (default/secure)
- 1: DSRM admin account can log on locally
- 2: DSRM admin account can log on over the network

examples:
- "reg query HKLM\\System\\CurrentControlSet\\Control\\Lsa /v DsrmAdminLogonBehavior"
- "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa"
- "DsrmAdminLogonBehavior REG_DWORD 0x1"

tools:
- name: "reg query"
description: "Windows Registry query command - currently no forensic tools specifically detect this artifact"
- name: "Registry Explorer"
description: "Manual registry analysis tool"

limitations:
- "Does not indicate when the original compromise occurred"
- "No known false positives - presence of value 1 or 2 indicates compromise"
- "Cannot identify who performed the change without additional logging"

correlation:
required_for_definitive_conclusions:
- "Windows Event Logs analysis for registry modification events"
- "Sysmon logs for registry change detection"
- "Timeline analysis with other persistence artifacts"

strengthens_evidence:
- "Search for DsrmAdminLogonBehavior in Windows Event Logs for timestamp/user attribution"
- "Sysmon Event ID 13 (registry value set) for detailed modification tracking"
- "Correlation with other Active Directory persistence techniques"

metadata:
windows_versions:
- "Windows Server 2008 R2"
- "Windows Server 2012"
- "Windows Server 2012 R2"
- "Windows Server 2016"
- "Windows Server 2019"
- "Windows Server 2022"

introduced: "Windows Server 2008"
criticality: "high"

investigation_types:
- "incident-response"
- "behavioral-analysis"
- "insider-threat"
- "persistence-analysis"
- "privilege-escalation"
- "credential-theft"
- "lateral-movement"
- "remote-access"

tags:
- "active-directory"
- "domain-controller"
- "dsrm-persistence"
- "registry-forensics"
- "high-severity"

references:
- title: "Beyond The MCSE: Active Directory For The Security Professional"
url: "https://www.blackhat.com/docs/us-16/materials/us-16-Metcalf-Beyond-The-MCSE-Active-Directory-For-The-Security-Professional.pdf"
type: "research"

retention:
default_location: "System Registry"
persistence: "Survives reboots and system cleaning"
volatility: "Persistent until explicitly deleted"

author:
name: "Abdul Mhanni"
github: "ThatTotallyRealMyth"
linkedin: "https://www.linkedin.com/in/abdulmhanni/"
email: "abdul.mhanni@gmail.com"

contribution:
date_added: "2025-01-15"
last_updated: "2025-01-15"
version: "1.0"