Password Change on Directory Service Restore Mode (DSRM) Account
The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.
Sigma rule (View on GitHub)
1title: Password Change on Directory Service Restore Mode (DSRM) Account
2id: 53ad8e36-f573-46bf-97e4-15ba5bf4bb51
3status: stable
4description: The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.
5references:
6 - https://adsecurity.org/?p=1714
7author: Thomas Patzke
8date: 2017/02/19
9modified: 2020/08/23
10tags:
11 - attack.persistence
12 - attack.t1098
13logsource:
14 product: windows
15 service: security
16detection:
17 selection:
18 EventID: 4794
19 condition: selection
20falsepositives:
21 - Initial installation of a domain controller
22level: high
References
-
The content in this post describes a method by which an attacker could persist administrative access to Active Directory after having Domain Admin level rights for 5 minutes. I presented on this AD...
Read More
Related rules
- Addition of SID History to Active Directory Object
- Suspicious Windows ANONYMOUS LOGON Local Account Created
- HybridConnectionManager Service Running
- Scheduled task executing powershell encoded payload from registry
- ChromeLoader Malware Detection