mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 09:48:58 +00:00
16 lines
530 B
YAML
16 lines
530 B
YAML
title: Password Change on Directory Service Restore Mode (DSRM) Account
|
|
status: stable
|
|
description: The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.
|
|
reference: https://adsecurity.org/?p=1714
|
|
author: Thomas Patzke
|
|
logsource:
|
|
product: windows
|
|
service: security
|
|
detection:
|
|
selection:
|
|
EventID: 4794
|
|
condition: selection
|
|
falsepositives:
|
|
- Initial installation of a domain controller
|
|
level: high
|