splApache-2.0from splunk/security_content
Windows AD DSRM Password Reset
The following analytic detects attempts to reset the Directory Services Restore Mode (DSRM) administrator password on a Domain Controller. It leverages event code 4794 from the Windows Security Event Log, specifically looking for events where the DSRM password reset is attempted. This activity is significant because the DSRM account can be used similarly to a local administrator account, providing potential persistence for an attacker. If confirmed malicious, this could allow an attacker to maintain administrative access to the Domain Controller, posing a severe risk to the domain's security.
Quality
67
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/windows_ad_dsrm_password_reset.yml
| tstats `security_content_summariesonly` min(_time) as _time FROM datamodel=Change
WHERE All_Changes.result_id="4794"
AND
All_Changes.result="set the Directory Services Restore Mode administrator password"
BY All_Changes.action, All_Changes.dest, All_Changes.src,
All_Changes.user
| `drop_dm_object_name(All_Changes)`
| `windows_ad_dsrm_password_reset_filter`