Windows password change on directory service restore account
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detects password changes to the Directory Service Restore Mode (DSRM) account.
Strategy
This rule monitors for Windows event ID 4794, which is generated when the password of the DSRM account is changed. The DSRM account is a built-in local administrator account on domain controllers that’s used for recovery operations when Active Directory is not functioning properly.
The DSRM account has complete access to the Active Directory database and can be used to modify or extract sensitive directory information when booted into recovery mode. Because of its powerful capabilities, password changes for this account should be infrequent and strictly controlled.
Password changes to the DSRM account outside of documented maintenance windows are suspicious. Attackers who gain administrative access to a domain controller may modify the DSRM password to establish persistence that survives domain credential resets. This technique allows an attacker to regain control of a domain controller even after remediation efforts.
Triage & Response
- Verify which administrator account initiated the DSRM password change on
{{host}}. - Determine if the password change was part of scheduled maintenance or an approved administrative task.
- Check the authentication logs for the admin account that performed the change to verify it wasn’t compromised.
- Review other administrative actions taken by the same account around the time of the password change.
- Examine domain controller security logs for additional suspicious activities.
- Verify no unauthorized access to the DSRM account occurred following the password change.
- Document the current DSRM password and reset it.
- Reset credentials for any potentially compromised administrative accounts.
