An adversary is leveraging a DSRM account to establish persistence and maintain access within the Active Directory environment. SOC teams should proactively hunt for this behavior to identify and mitigate potential long-term access and lateral movement capabilities within Azure Sentinel.
KQL Query
Event
| where EventLog == "Microsoft-Windows-Sysmon/Operational" and EventID in (13)
| parse EventData with * 'ProcessId">' ProcessId "<"* 'Image">' Image "<" * 'TargetObject">' TargetObject "<" * 'Details">' Details "<" * 'User">' User "<" *
| where TargetObject has ("HKLM\\System\\CurrentControlSet\\Control\\Lsa\\DsrmAdminLogonBehavior") and Details == "DWORD (0x00000002)"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ProcessId, Image, TargetObject, Details, _ResourceId
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| extend AccountName = tostring(split(User, "\\")[1]), AccountNTDomain = tostring(split(User, "\\")[0])
| extend ImageFileName = tostring(split(Image, "\\")[-1])
| extend ImageDirectory = replace_string(Image, ImageFileName, "")
| project-away DomainIndex
id: 979c42dd-533e-4ede-b18b-31a84ba8b3d6
name: DSRM Account Abuse
description: |
'This query detects an abuse of the DSRM account in order to maintain persistence and access to the organization's Active Directory.
Ref: https://adsecurity.org/?p=1785'
severity: High
requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Persistence
relevantTechniques:
- T1098
query: |
Event
| where EventLog == "Microsoft-Windows-Sysmon/Operational" and EventID in (13)
| parse EventData with * 'ProcessId">' ProcessId "<"* 'Image">' Image "<" * 'TargetObject">' TargetObject "<" * 'Details">' Details "<" * 'User">' User "<" *
| where TargetObject has ("HKLM\\System\\CurrentControlSet\\Control\\Lsa\\DsrmAdminLogonBehavior") and Details == "DWORD (0x00000002)"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ProcessId, Image, TargetObject, Details, _ResourceId
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| extend AccountName = tostring(split(User, "\\")[1]), AccountNTDomain = tostring(split(User, "\\")[0])
| extend ImageFileName = tostring(split(Image, "\\")[-1])
| extend ImageDirectory = replace_string(Image, ImageFileName, "")
| project-away DomainIndex
entityMappings:
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: Computer
- identifier: HostName
columnName: HostName
- identifier: DnsDomain
columnName: HostNameDomain
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: User
- identifier: Name
columnName: AccountName
- identifier: NTDomain
columnName: AccountNTDomain
- entityType: Process
fieldMappings:
- identifier: ProcessId
columnName: ProcessId
- entityType: File
fieldMappings:
- identifier: Name
columnName: ImageFileName
- identifier: Directory
columnName: ImageDirectory
- entityType: RegistryKey
fieldMappings:
- identifier: Key
columnName: TargetObject
version: 1.0.3
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Vasileios Paschalidis
support:
tier: Community
categories:
domains: [ "Security - Others" ]Scenario: Legitimate Scheduled Task for System Maintenance
Description: A system administrator creates a scheduled task using Task Scheduler to run a maintenance script that requires logging in with the DSRM account.
Filter/Exclusion: EventID=190 (Task Scheduler event) with TaskName containing “Maintenance” or “SystemCheck”
Scenario: Admin Task to Reset Forgotten DSRM Password
Description: An administrator uses the Ntdsutil tool to reset a forgotten DSRM password for a domain controller.
Filter/Exclusion: EventID=6006 (Event Log service event) with Source containing “Ntdsutil” or “DSRM Reset”
Scenario: Regular Backup Job Using DSRM Credentials
Description: A backup tool (e.g., Veeam, Acronis) uses DSRM credentials to access Active Directory for backup purposes.
Filter/Exclusion: EventID=1000 (Backup service event) with ProcessName containing “Veeam” or “Acronis”
Scenario: User Account Lockout Reset via DSRM
Description: An admin uses the DSRM account to reset a locked-out user account via the command line or PowerShell.
Filter/Exclusion: EventID=4740 (Account Logon event) with EventMessage containing “Reset Password” or “Unlock Account”
Scenario: DSRM Account Used for Emergency Access
Description: During a planned outage, the DSRM account is used to access AD for emergency recovery tasks.
Filter/Exclusion: EventID=6008 (System crash dump) with EventMessage containing “Emergency Access” or “DSRM Recovery