Detection rules › Splunk
Windows AD DSRM Password Reset
The following analytic detects attempts to reset the Directory Services Restore Mode (DSRM) administrator password on a Domain Controller. It leverages event code 4794 from the Windows Security Event Log, specifically looking for events where the DSRM password reset is attempted. This activity is significant because the DSRM account can be used similarly to a local administrator account, providing potential persistence for an attacker. If confirmed malicious, this could allow an attacker to maintain administrative access to the Domain Controller, posing a severe risk to the domain's security.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1098 Account Manipulation |
| Privilege Escalation | T1098 Account Manipulation |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4794 | An attempt was made to set the Directory Services Restore Mode administrator password. |
Stages and Predicates
Stage 1: tstats
tstats WHERE All_Changes.result="set the Directory Services Restore Mode administrator password" All_Changes.result_id="4794" BY All_Changes.action, All_Changes.dest, All_Changes.src, All_Changes.user
Stage 2: search
search
Stage 3: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
All_Changes.result | eq |
|
All_Changes.result_id | eq |
|