resetting the dsrm password for legitamate reasons, i.e. forgot the password. disaster recovery. deploying ad backdoor deliberately.

t1098
endpoint
splunk

Techniques

T1098

Sample rules

Windows AD DSRM Password Reset

source: splunk
technicques:
- T1098

Description

Aside from being used to promote genuine domain controllers, the DSRM (Directory Services Restore Mode) account can be used to persist within a Domain. A DC can be configured to allow the DSRM account to logon & be used in the same way as a local administrator account. This detection is looking for any password reset attempts against that account.

Detection logic


| tstats `security_content_summariesonly` min(_time) as _time from datamodel=Change where All_Changes.result_id="4794" AND All_Changes.result="An attempt was made to set the Directory Services Restore Mode administrator password" by All_Changes.action, All_Changes.dest, All_Changes.src, All_Changes.user 
| `drop_dm_object_name(All_Changes)` 
| `windows_ad_dsrm_password_reset_filter`