Techniques
Sample rules
Windows AD DSRM Account Changes
- source: splunk
- technicques:
- T1098
Description
Aside from being used to promote genuine domain controllers, the DSRM (Directory Services Restore Mode) account can be used to persist within a Domain. A DC can be configured to allow the DSRM account to logon & be used in the same way as a local administrator account. This detection is looking for alterations to the behaviour of the account via registry.
Detection logic
| tstats `security_content_summariesonly` min(_time) as _time from datamodel=Endpoint.Registry where Registry.registry_path= "*\\System\\CurrentControlSet\\Control\\Lsa\\DSRMAdminLogonBehavior" Registry.registry_value_data IN ("*1","*2") by Registry.action Registry.registry_path Registry.registry_value_data Registry.registry_value_type Registry.process_guid Registry.dest Registry.user
| `drop_dm_object_name(Registry)`
| join type=outer process_guid [
| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by Processes.user Processes.process_name Processes.process Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid
| `drop_dm_object_name(Processes)`]
| table _time action dest user parent_process_name parent_process process_name process process_guid registry_path registry_value_data registry_value_type
| `windows_ad_dsrm_account_changes_filter`