Detection rules › Kusto Query Language

DSRM Account Abuse

Author: Vasileios Paschalidis
Source: upstream

'This query detects an abuse of the DSRM account in order to maintain persistence and access to the organization's Active Directory. Ref: https://adsecurity.org/?p=1785'

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1098` Account Manipulation
Privilege Escalation	`T1098` Account Manipulation

Event coverage

Provider	Event ID	Title
Sysmon	13	RegistryEvent (Value Set)

Stages and Predicates

Stage 1: `source`

Event

Stage 2: `where`

and
  EventID eq "13"
  EventLog eq "Microsoft-Windows-Sysmon/Operational"

Stage 3: `parse`

Stage 4: `where`

and
  Details eq "DWORD (0x00000002)"
  TargetObject match "HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\DsrmAdminLogonBehavior"

Stage 5: `summarize`

Stage 6: `extend`

Stage 7: `extend`

Stage 8: `extend`

Stage 9: `extend`

Stage 10: `extend`

Stage 11: `project-away`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Details`	eq	`DWORD (0x00000002)` corpus 9 (sigma 9)
`EventID`	in	`13`
`EventLog`	eq	`Microsoft-Windows-Sysmon/Operational`
`TargetObject`	match	`HKLM\\System\\CurrentControlSet\\Control\\Lsa\\DsrmAdminLogonBehavior`

DSRM Account Abuse

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: source

Stage 2: where

Stage 3: parse

Stage 4: where

Stage 5: summarize

Stage 6: extend

Stage 7: extend

Stage 8: extend

Stage 9: extend

Stage 10: extend

Stage 11: project-away