Windows AD DSRM Password Reset

name: Windows AD DSRM Password Reset
id: d1ab841c-36a6-46cf-b50f-b2b04b31182a
version: 8
date: '2026-03-10'
author: Dean Luxton
type: TTP
status: production
data_source:
    - Windows Event Log Security 4794
description: The following analytic detects attempts to reset the Directory Services Restore Mode (DSRM) administrator password on a Domain Controller. It leverages event code 4794 from the Windows Security Event Log, specifically looking for events where the DSRM password reset is attempted. This activity is significant because the DSRM account can be used similarly to a local administrator account, providing potential persistence for an attacker. If confirmed malicious, this could allow an attacker to maintain administrative access to the Domain Controller, posing a severe risk to the domain's security.
search: |-
    | tstats `security_content_summariesonly` min(_time) as _time FROM datamodel=Change
      WHERE All_Changes.result_id="4794"
        AND
        All_Changes.result="set the Directory Services Restore Mode administrator password"
      BY All_Changes.action, All_Changes.dest, All_Changes.src,
         All_Changes.user
    | `drop_dm_object_name(All_Changes)`
    | `windows_ad_dsrm_password_reset_filter`
how_to_implement: To successfully implement this search, you need to be ingesting eventcode `4794` and  have the Advanced Security Audit policy `Audit User Account Management` within `Account Management` enabled.
known_false_positives: Resetting the DSRM password for legitamate reasons, i.e. forgot the password. Disaster recovery. Deploying AD backdoor deliberately.
references:
    - https://adsecurity.org/?p=1714
drilldown_searches:
    - name: View the detection results for - "$user$" and "$dest$"
      search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$user$" and "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: DSRM Account Password was reset on $dest$ by $user$
    risk_objects:
        - field: user
          type: user
          score: 50
        - field: dest
          type: system
          score: 50
    threat_objects: []
tags:
    analytic_story:
        - Sneaky Active Directory Persistence Tricks
        - Scattered Lapsus$ Hunters
    asset_type: Endpoint
    mitre_attack_id:
        - T1098
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/dsrm_account/windows-security-xml.log
          source: XmlWinEventLog:Security
          sourcetype: XmlWinEventLog