Query Details
RULE 14 AD DSRM Backdoor Registry
Query
// =========================================================
// RULE-14 | AD-DSRM-Backdoor-Registry
// Description : DSRM (Directory Services Restore Mode) admin
// backdoor activation — Event 4657 (Registry
// Value Modified) setting
// HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
// DsrmAdminLogonBehavior to 2.
// The DSRM account is a local administrator on
// every DC with its own password (set at
// dcpromo time). By default it only works in
// restore mode. Setting this registry value
// to 2 allows the DSRM account to authenticate
// over the network to the DC —providing a
// persistent backdoor that survives domain admin
// password resets and krbtgt rotations.
// Severity : Critical (any change to this key on a DC)
// Frequency : Every 15 minutes, look-back 15 minutes
// MITRE : T1003.004 — LSA Secrets
// T1098 — Account Manipulation
// Tables : SecurityEvent
// =========================================================
let LookBack = 15m;
SecurityEvent
| where TimeGenerated > ago(LookBack)
| where EventID == 4657 // Registry Value Modified
| where ObjectName has @"Control\Lsa"
and ObjectValueName =~ "DsrmAdminLogonBehavior"
// Value 2 = allow network logon
| where NewValue in ("2", "0x00000002")
| extend
ActorAccount = strcat(SubjectDomainName, "\\", SubjectUserName),
RegPath = ObjectName,
PreviousValue = OldValue,
NewRegValue = NewValue
| extend
Severity = "Critical",
WhySuspicious = strcat(
"DSRM_Backdoor_Enabled_DsrmAdminLogonBehavior=2; ",
"DC_local_admin_can_now_auth_over_network; ",
"Survives_krbtgt_rotation; ",
"Actor: ", SubjectUserName, "; ",
"RegPath: ", RegPath
)
| project
TimeGenerated,
Severity,
WhySuspicious,
ActorAccount,
Computer,
RegPath,
PreviousValue,
NewRegValue,
SubjectUserName,
SubjectDomainName
| order by TimeGenerated desc
Explanation
This query is designed to detect a critical security event on a domain controller (DC) related to the Directory Services Restore Mode (DSRM) account. Specifically, it monitors for changes to a particular registry setting that could indicate a backdoor has been activated. Here's a simplified breakdown:
-
Purpose: The query checks if the registry value
DsrmAdminLogonBehavioris set to2in the registry pathHKLM\SYSTEM\CurrentControlSet\Control\Lsa. This change allows the DSRM account to log in over the network, which is not its default behavior. -
Significance: The DSRM account is a local administrator on every DC and is typically used only in restore mode. Allowing it to authenticate over the network creates a persistent backdoor that remains even if domain admin passwords are changed or krbtgt keys are rotated.
-
Severity: The query marks this event as "Critical" because any change to this registry key on a DC is highly suspicious and potentially dangerous.
-
Frequency: The query runs every 15 minutes and looks back over the last 15 minutes to catch any recent changes.
-
Detection: It filters security events (Event ID 4657) that indicate a registry value has been modified. It specifically looks for changes where the new value is
2or0x00000002. -
Output: The query outputs details such as the time of the event, severity, why it's suspicious, the account that made the change, the computer affected, the registry path, the previous and new values, and the user and domain names involved.
-
MITRE ATT&CK Framework: The query relates to techniques T1003.004 (LSA Secrets) and T1098 (Account Manipulation), indicating its relevance to known attack methods.
Overall, this query helps security teams identify and respond to potential unauthorized changes that could compromise the security of domain controllers.
Details
David Alonso
Released: March 24, 2026
Tables
Keywords
Operators