Event ID 4794 — An attempt was made to set the Directory Services Restore Mode administrator password.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → User Account Management
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

An attempt was made to set the Directory Services Restore Mode.

Message #

An attempt was made to set the Directory Services Restore Mode
administrator password.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Additional Information:
	Caller Workstation: %5
	Status Code: %6

Fields #

Name	Description
`Security_ID`	[Subject] Security ID.
`Account_Name`	[Subject] Account Name.
`Account_Domain`	[Subject] Account Domain.
`Logon_ID`	[Subject] Logon ID.
`Caller_Workstation`	[Additional Information] Caller Workstation.
`Status_Code`	[Additional Information] Status Code.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4794,
    "version": 0,
    "level": 0,
    "task": 13824,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2017-06-09T19:21:26.968669Z",
    "event_record_id": 3139859,
    "correlation": {
      "#attributes": {
        "ActivityID": "3B48C871-DFE6-0000-A5C8-483BE6DFD201"
      }
    },
    "execution": {
      "process_id": 792,
      "thread_id": 1648
    },
    "channel": "Security",
    "computer": "2016dc.hqcorp.local",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-21-1913345275-1711810662-261465553-500",
    "SubjectUserName": "administrator",
    "SubjectDomainName": "HQCORP",
    "SubjectLogonId": "0x2f336f",
    "Workstation": "2016DC",
    "Status": "0x0"
  }
}

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

Password Change on Directory Service Restore Mode (DSRM) Account source high: Detects potential attempts made to set the Directory Services Restore Mode administrator password. The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password in order to obtain persistence.

Splunk # view in reference

Windows AD DSRM Password Reset source: The following analytic detects attempts to reset the Directory Services Restore Mode (DSRM) administrator password on a Domain Controller. It leverages event code 4794 from the Windows Security Event Log, specifically looking for events where the DSRM password reset is attempted. This activity is significant because the DSRM account can be used similarly to a local administrator account, providing potential persistence for an attacker. If confirmed malicious, this could allow an attacker to maintain administrative access to the Domain Controller, posing a severe risk to the domain's security.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4794
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4794
Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx