Password Change on Directory Service Restore Mode (DSRM) Account

Severity: high
Author: Thomas Patzke
Source: upstream

Detects potential attempts made to set the Directory Services Restore Mode administrator password. The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password in order to obtain persistence.

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1098` Account Manipulation
Privilege Escalation	`T1098` Account Manipulation

Event coverage

Provider	Event ID	Title
Security-Auditing	4794	An attempt was made to set the Directory Services Restore Mode administrator password.

Password Change on Directory Service Restore Mode (DSRM) Account

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: `selection`

Keyboard Shortcuts

Password Change on Directory Service Restore Mode (DSRM) Account

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: selection

Stage 1: `selection`