Password Change on Directory Service Restore Mode (DSRM) Account
Detects potential attempts made to set the Directory Services Restore Mode administrator password. The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password in order to obtain persistence.
Sigma rule (View on GitHub)
1title: Password Change on Directory Service Restore Mode (DSRM) Account
2id: 53ad8e36-f573-46bf-97e4-15ba5bf4bb51
3related:
4 - id: b61e87c0-50db-4b2e-8986-6a2be94b33b0
5 type: similar
6status: stable
7description: |
8 Detects potential attempts made to set the Directory Services Restore Mode administrator password.
9 The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers.
10 Attackers may change the password in order to obtain persistence.
11references:
12 - https://adsecurity.org/?p=1714
13 - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4794
14author: Thomas Patzke
15date: 2017-02-19
16modified: 2020-08-23
17tags:
18 - attack.persistence
19 - attack.t1098
20logsource:
21 product: windows
22 service: security
23detection:
24 selection:
25 EventID: 4794
26 condition: selection
27falsepositives:
28 - Initial installation of a domain controller.
29level: high
References
-
The content in this post describes a method by which an attacker could persist administrative access to Active Directory after having Domain Admin level rights for 5 minutes. I presented on this AD...
Read More -
Describes security event 4794(S, F) An attempt was made to set the Directory Services Restore Mode administrator password.
Read More
Related rules
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain
- A Security-Enabled Global Group Was Deleted
- AWS IAM Backdoor Users Keys