Detecting DSRM Account Misconfigurations
Written by: Vikram Navali, Senior Technical Product Manager – During a Domain Controller (DC) promotion, administrators create a Directory Services Restore Mode (DSRM) local administrator account with a password that rarely changes. The DSRM account is an “Administrator” account that logs in with the DSRM mode when the server is booting up to restore AD backups or recover the server from a failure.
Attackers could abuse DSRM account to maintain their persistence and access to the organization’s Active Directory. Administrators set the DSRM password while configuring Active Directory and typically do not follow the recommendation of changing its passwords regularly. Knowing this, attackers will attempt to create a permanent backdoor to establish a connection in the future. An attacker can change the DSRM account password by running the following command on every DC (or remotely against every DC by replacing “null” with DC name).
Once an attacker has the DSRM password, it is possible to use this account to log on to the DC over the network as a local administrator. An attacker can extract both the local administrator and AD administrator password hashes using an open-source credential dumping tool, such as running Mimikatz with the commands “lsadump::sam” and “lsadump::lsa /patch”, respectively.
With the local administrator password hash, the attacker can change the Windows registry to log into the DC using DSRM hashes without rebooting the server. The attacker can confirm the “DsrmAdminLogonBehavior” registry key value under HKLM\System\CurrentControlSet\Control\Lsa and create possible REG_DWORD values as shown below:
- 0 – the default value. Can use the DSRM administrator account only if the DC starts in DSRM.
- 1 – Use the DSRM administrator account to log on if the local AD DS service is stopped.
- 2 – Always use the DSRM administrator account (This setting is not recommended because password policies do not apply to the DSRM administrator account).
The attacker will try to set the registry key “DsrmAdminLogonBehavior” value to 2, as shown below.
- “sekurlsa::pth /domain:attivo1.local /user:Administrator /ntlm: fc063a56bf43cb54e57a2522d4d48678”
How to Mitigate DSRM Account Misconfigurations?
Security administrators must ensure the DSRM account passwords are unique for every Domain Controller and change them regularly (at least as often as other account passwords). Also, ensure the registry key DsrmAdminLogonBehavior is not set to 2, and the same registry key value does not exist by default.
The Attivo Networks ADAssessor solution detects DSRM account misconfigurations and alerts when DSRM login is enabled, or the account is activated. The ADAssessor solution’s continuous monitoring capabilities also help administrators analyze the “DsrmAdminLogonBehavior” registry key settings and mitigate the risk of an attacker retaining Domain Controller admin rights.
The DSRM account activation provides a useful attack method to pull domain credentials and maintain persistence across the organization’s network. Administrators should implement appropriate password and registry key settings for these accounts and continuously monitor for misconfigurations that expose Active Directory to an attack.
For more information, please visit https://attivonetworks.com/product/adassessor/.
Free Active Directory Assessment
Get Visibility Into Privilege And Service Account Exposure
For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.
Try Our Endpoint Detection Net (EDN) for Free
FAST AND EASY
Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.
ADSecure 90-Day Free Trial
GET PROTECTION AGAINST UNAUTHORIZED ACCESS TO ACTIVE DIRECTORY
- Hide and deny access to AD objects
- Get alerted on unauthorized queries
- Attack details easily viewable in dashboard
- Your data remains on-premise