Techniques
Sample rules
Windows AD DSRM Password Reset
- source: splunk
- technicques:
- T1098
Description
Aside from being used to promote genuine domain controllers, the DSRM (Directory Services Restore Mode) account can be used to persist within a Domain. A DC can be configured to allow the DSRM account to logon & be used in the same way as a local administrator account. This detection is looking for any password reset attempts against that account.
Detection logic
| tstats `security_content_summariesonly` min(_time) as _time from datamodel=Change where All_Changes.result_id="4794" AND All_Changes.result="An attempt was made to set the Directory Services Restore Mode administrator password" by All_Changes.action, All_Changes.dest, All_Changes.src, All_Changes.user
| `drop_dm_object_name(All_Changes)`
| `windows_ad_dsrm_password_reset_filter`