Techniques
Sample rules
Password Change on Directory Service Restore Mode (DSRM) Account
- source: sigma
- technicques:
- t1098
Description
The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.
Detection logic
condition: selection
selection:
EventID: 4794