Windows Directory Service Restore Mode password changed



Detect when a user resets the Directory Services Restore Mode (DSRM). The DSRM enabled emergency access to a Domain Controller. The DSRM user is a local administrator account that can be utilized for persistence.


Monitoring of Windows event logs where is 4794.

Triage and response

Verify if {{@Event.UserData.LogFileCleared.SubjectUserName}} has a legitimate reason to change the DSRM password on {{host}}.