Windows AD DSRM Password Reset

name: Windows AD DSRM Password Reset
id: d1ab841c-36a6-46cf-b50f-b2b04b31182a
version: 10
creation_date: '2022-09-08'
modification_date: '2026-05-13'
author: Dean Luxton
status: production
type: TTP
description: The following analytic detects attempts to reset the Directory Services Restore Mode (DSRM) administrator password on a Domain Controller. It leverages event code 4794 from the Windows Security Event Log, specifically looking for events where the DSRM password reset is attempted. This activity is significant because the DSRM account can be used similarly to a local administrator account, providing potential persistence for an attacker. If confirmed malicious, this could allow an attacker to maintain administrative access to the Domain Controller, posing a severe risk to the domain's security.
data_source:
    - Windows Event Log Security 4794
search: |-
    | tstats `security_content_summariesonly` min(_time) as _time FROM datamodel=Change
      WHERE All_Changes.result_id="4794"
        AND
        All_Changes.result="set the Directory Services Restore Mode administrator password"
      BY All_Changes.action, All_Changes.dest, All_Changes.src,
         All_Changes.user
    | `drop_dm_object_name(All_Changes)`
    | `windows_ad_dsrm_password_reset_filter`
how_to_implement: To successfully implement this search, you need to be ingesting eventcode `4794` and  have the Advanced Security Audit policy `Audit User Account Management` within `Account Management` enabled.
known_false_positives: Resetting the DSRM password for legitamate reasons, i.e. forgot the password. Disaster recovery. Deploying AD backdoor deliberately.
references:
    - https://adsecurity.org/?p=1714
drilldown_searches:
    - name: View the detection results for - "$user$" and "$dest$"
      search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$user$" and "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
finding:
    title: DSRM Account Password was reset on $dest$ by $user$
    entity:
        field: user
        type: user
        score: 50
intermediate_findings:
    entities:
        - field: dest
          type: system
          score: 50
          message: DSRM Account Password was reset on $dest$ by $user$
analytic_story:
    - Sneaky Active Directory Persistence Tricks
    - Scattered Lapsus$ Hunters
asset_type: Endpoint
mitre_attack_id:
    - T1098
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/dsrm_account/windows-security-xml.log
          source: XmlWinEventLog:Security
          sourcetype: XmlWinEventLog
      test_type: unit