Directory Service Restore Mode(DSRM) Registry Value Tampering
Detects changes to "DsrmAdminLogonBehavior" registry value. During a Domain Controller (DC) promotion, administrators create a Directory Services Restore Mode (DSRM) local administrator account with a password that rarely changes. The DSRM account is an “Administrator” account that logs in with the DSRM mode when the server is booting up to restore AD backups or recover the server from a failure. Attackers could abuse DSRM account to maintain their persistence and access to the organization's Active Directory. If the "DsrmAdminLogonBehavior" value is set to "0", the administrator account can only be used if the DC starts in DSRM. If the "DsrmAdminLogonBehavior" value is set to "1", the administrator account can only be used if the local AD DS service is stopped. If the "DsrmAdminLogonBehavior" value is set to "2", the administrator account can always be used.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
detection:
selection:
TargetObject|endswith: '\Control\Lsa\DsrmAdminLogonBehavior'
filter_main_default_value:
Details: 'DWORD (0x00000000)' # Default value
condition: selection and not 1 of filter_main_*False positive likelihood has not been assessed. Additional context may be needed during triage.