RegistryPlugins icon indicating copy to clipboard operation
RegistryPlugins copied to clipboard
verified publisher icon EricZimmerman

Plugin to look for the subkey value for the DSRM system admin in lsa key, which indicates almost definitely a compromise occurred

Open ThatTotallyRealMyth opened this issue 6 months ago • 4 comments

I had tested out the plugin and it compiled as well as was loaded and processed by Registry Explorer using the .net6 version. If there are other issues with the plugin being properly incorporated or functional then hopefully I can try my best to fix them as I never coded in C# until today.

The Directory Services Restore Mode (DSRM) ) is a safe boot mode which allows emergency access to the Domain Controller server for dataebase recovery or related issues. As a result of its function, it is a local administrator on the DC. Note That DSRM creates a local administrator account on the Domain Controller that is different from the Domain administrator account.

The account can have its password reset by someone with the privileges to do so, or the accounts hashes can be compromised by other methods. The kicker is that the password is useless as the account is not configured for use since its a sort of break glass; to change this one must change the registry key to allow the account to either locally logon or to logon over the network:

Threat actors have two choices with this one;

Enable DSRM account to logon normally

reg add "HKLM\System\CurrentControlSet\Control\Lsa" /v DsrmAdminLogonBehaviour /t REG_DWORD /d 1

Or value 2 for network logon

reg add "HKLM\System\CurrentControlSet\Control\Lsa" /v DsrmAdminLogonBehaviour /t REG_DWORD /d 2

If you query that key in your home computer or indeed your companies DC; you will not find value there as the DsrmAdmin shouldn't have any logon ability. I had seen this in a case and only caught wind by chance as I enjoy read sean metcaffs ad security blogs and this was in an entry in his threat actors persistence series.

I think it be super helpful for something like this to be flagged in registry explorer in the bookmarks section as in my opinon if this registry value exists and is set; RecentDocs entry is the absolute least of your worries : )

ThatTotallyRealMyth avatar Jun 12 '25 10:06 ThatTotallyRealMyth

My apologies for not properly writing some of those as I am dyslexic and so I guess it was littered with spelling errors! I will be sure to check this again and make sure its appropriate for review.

I also would like to ask, Im not sure what I did wrong but at some point I stopped being able to click on bookmarks and seeing my plugin as an option in which when I click it takes me to the relevant registry key and displays the information regarding the value present being a smoking gun for compromise. Can I have some direction with where I can properly look within the present code base to identity how to correctly have the PR showup in the plugins as well as take you to the key value when clicked or when browsing the bookmarks?

ThatTotallyRealMyth avatar Jul 26 '25 06:07 ThatTotallyRealMyth

My apologies for not properly writing some of those as I am dyslexic and so I guess it was littered with spelling errors! I will be sure to check this again and make sure its appropriate for review.

I also would like to ask, Im not sure what I did wrong but at some point I stopped being able to click on bookmarks and seeing my plugin as an option in which when I click it takes me to the relevant registry key and displays the information regarding the value present being a smoking gun for compromise. Can I have some direction with where I can properly look within the present code base to identity how to correctly have the PR showup in the plugins as well as take you to the key value when clicked or when browsing the bookmarks?

For bookmarks, you can click anywhere in a hive and Right-Click -> Add Bookmark. That will then generate a bookmark within your .\RegistryExplorer\Bookmarks\User folder, which the ones on the Registry Explorer Bookmarks repo are stored in the .\RegistryExplorer\Bookmarks\Common folder, and can be synced via Bookmarks -> Sync with Github.

AndrewRathbun avatar Aug 18 '25 15:08 AndrewRathbun

Also, I am testing out your plugin and, as you mentioned, I don't have this artifact on my personal computer, so I'll have to do some testing on this when I come across a hive that has this artifact.

AndrewRathbun avatar Aug 18 '25 15:08 AndrewRathbun

Thankfully you don't have this artifact 😄

You can also create it manually by simply using the reg add command at least that's what I did to test it out!

Just a quick edit: Should I then create a new PR to have this plugin added into the bookmarks repo linked above? I think that it should be such that if you load a hive and lick top right where registry explorer picks up all the high fidelity stuff that it instantly takes you to; this should be one of them. only say that since there's very little artefacts where if its present you can assume with 99.9% confidence just off the lone artefact that you've been compromised and I think the DSRMAdmin is one of those

ThatTotallyRealMyth avatar Aug 18 '25 22:08 ThatTotallyRealMyth