Techniques
Sample rules
Password Change on Directory Service Restore Mode (DSRM) Account
- source: sigma
- technicques:
- t1098
Description
Detects potential attempts made to set the Directory Services Restore Mode administrator password. The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password in order to obtain persistence.
Detection logic
condition: selection
selection:
EventID: 4794