Windows directory service restore mode password changed

windows

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1098-account-manipulation

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a user resets the Directory Services Restore Mode (DSRM). The DSRM enabled emergency access to a Domain Controller. The DSRM user is a local administrator account that can be utilized for persistence.

Strategy

Monitoring of Windows event logs where @evt.id is 4794.

Triage and response

Verify if {{@Event.UserData.LogFileCleared.SubjectUserName}} has a legitimate reason to change the DSRM password on {{host}}.