Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1098-account-manipulation

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detect when a user resets the Directory Services Restore Mode (DSRM). The DSRM enabled emergency access to a Domain Controller. The DSRM user is a local administrator account that can be utilized for persistence.

Strategy

Monitoring of Windows event logs where @evt.id is 4794.

Triage and response

Verify if {{@Event.UserData.LogFileCleared.SubjectUserName}} has a legitimate reason to change the DSRM password on {{host}}.