Skip to content

Commit

Permalink
updating detection
Browse files Browse the repository at this point in the history
  • Loading branch information
research-bot committed Nov 1, 2024
1 parent 561dff0 commit 4dd393d
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions detections/endpoint/windows_ad_dsrm_password_reset.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ status: production
data_source:
- Windows Event Log Security 4794
description: The following analytic detects attempts to reset the Directory Services Restore Mode (DSRM) administrator password on a Domain Controller. It leverages event code 4794 from the Windows Security Event Log, specifically looking for events where the DSRM password reset is attempted. This activity is significant because the DSRM account can be used similarly to a local administrator account, providing potential persistence for an attacker. If confirmed malicious, this could allow an attacker to maintain administrative access to the Domain Controller, posing a severe risk to the domain's security.
search: '| tstats `security_content_summariesonly` min(_time) as _time from datamodel=Change where All_Changes.result_id="4794" AND All_Changes.result="An attempt was made to set the Directory Services Restore Mode administrator password" by All_Changes.action, All_Changes.dest, All_Changes.src, All_Changes.user | `drop_dm_object_name(All_Changes)` | `windows_ad_dsrm_password_reset_filter`'
search: '| tstats `security_content_summariesonly` min(_time) as _time from datamodel=Change where All_Changes.result_id="4794" AND All_Changes.result="set the Directory Services Restore Mode administrator password" by All_Changes.action, All_Changes.dest, All_Changes.src, All_Changes.user | `drop_dm_object_name(All_Changes)` | `windows_ad_dsrm_password_reset_filter`'
how_to_implement: To successfully implement this search, you need to be ingesting eventcode `4794` and have the Advanced Security Audit policy `Audit User Account Management` within `Account Management` enabled.
known_false_positives: Resetting the DSRM password for legitamate reasons, i.e. forgot the password. Disaster recovery. Deploying AD backdoor deliberately.
references:
Expand Down Expand Up @@ -59,4 +59,4 @@ tests:
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/dsrm_account/windows-security-xml.log
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
sourcetype: XmlWinEventLog

0 comments on commit 4dd393d

Please sign in to comment.