Detecting DSRM Account Misconfigurations - Attivo Networks
Attivo Networks Blogs

Detecting DSRM Account Misconfigurations

Written by: Vikram Navali, Senior Technical Product Manager – During a Domain Controller (DC) promotion, administrators create a Directory Services Restore Mode (DSRM) local administrator account with a password that rarely changes. The DSRM account is an “Administrator” account that logs in with the DSRM mode when the server is booting up to restore AD backups or recover the server from a failure.

Attackers could abuse DSRM account to maintain their persistence and access to the organization’s Active Directory. Administrators set the DSRM password while configuring Active Directory and typically do not follow the recommendation of changing its passwords regularly. Knowing this, attackers will attempt to create a permanent backdoor to establish a connection in the future. An attacker can change the DSRM account password by running the following command on every DC (or remotely against every DC by replacing “null” with DC name).

Once an attacker has the DSRM password, it is possible to use this account to log on to the DC over the network as a local administrator. An attacker can extract both the local administrator and AD administrator password hashes using an open-source credential dumping tool, such as running Mimikatz with the commands “lsadump::sam” and “lsadump::lsa /patch”, respectively.

With the local administrator password hash, the attacker can change the Windows registry to log into the DC using DSRM hashes without rebooting the server. The attacker can confirm the “DsrmAdminLogonBehavior” registry key value under HKLM\System\CurrentControlSet\Control\Lsa and create possible REG_DWORD values as shown below:

  • 0 – the default value. Can use the DSRM administrator account only if the DC starts in DSRM.
  • 1 – Use the DSRM administrator account to log on if the local AD DS service is stopped.
  • 2 – Always use the DSRM administrator account (This setting is not recommended because password policies do not apply to the DSRM administrator account).

The attacker will try to set the registry key “DsrmAdminLogonBehavior” value to 2, as shown below.

An attacker further uses additional techniques such as Pass the Ticket (PTT) to access the DC and laterally move on the network. The following Mimikatz commands help to achieve their goals.

  • privilege::debug
  • sekurlsa::pth /domain:attivo1.local /user:Administrator /ntlm: fc063a56bf43cb54e57a2522d4d48678

How to Mitigate DSRM Account Misconfigurations?

Security administrators must ensure the DSRM account passwords are unique for every Domain Controller and change them regularly (at least as often as other account passwords). Also, ensure the registry key DsrmAdminLogonBehavior is not set to 2, and the same registry key value does not exist by default.

The Attivo Networks ADAssessor solution detects DSRM account misconfigurations and alerts when DSRM login is enabled, or the account is activated. The ADAssessor solution’s continuous monitoring capabilities also help administrators analyze the “DsrmAdminLogonBehavior” registry key settings and mitigate the risk of an attacker retaining Domain Controller admin rights.

Conclusion

The DSRM account activation provides a useful attack method to pull domain credentials and maintain persistence across the organization’s network. Administrators should implement appropriate password and registry key settings for these accounts and continuously monitor for misconfigurations that expose Active Directory to an attack.

For more information, please visit https://attivonetworks.com/product/adassessor/.

References

https://adsecurity.org/?p=1714

https://adsecurity.org/?p=1785

Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free

FAST AND EASY

Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

Newsletter Signup

    Yes, please opt me in to receive your quarterly newsletter, event invitations, and product updates.

    I understand that I can opt out at any time, and can refer to Attivo Networks Privacy Policy for more information.
  • This field is for validation purposes and should be left unchanged.

ADSecure 90-Day Free Trial

GET PROTECTION AGAINST UNAUTHORIZED ACCESS TO ACTIVE DIRECTORY

  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise

RSS

Leave a Comment

Your email address will not be published. Required fields are marked *

17 − 3 =

Ready to find out what’s lurking in your network?

Scroll to Top