initial installation of a domain controller

t1098
windows
sigma

Techniques

t1098

Sample rules

Password Change on Directory Service Restore Mode (DSRM) Account

source: sigma
technicques:
- t1098

Description

The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.

Detection logic

condition: selection
selection:
  EventID: 4794