4794 An attempt was made to set the DSRM administrator password
Written when the Directory Services Restore Mode (DSRM) administrator password is changed. The DSRM account can be abused as a hidden backdoor by attackers, so it draws attention.
Overview
The subcategory is Audit User Account Management. It is generated when the administrator password of DSRM (Directory Services Restore Mode: a special mode that boots a domain controller with AD offline for repair) is changed. The DSRM account is equivalent to the DC’s local administrator and exists separately from AD.
How it is triggered
- When the DSRM administrator password is set/changed on a DC using
ntdsutiland the like.
Security review points
- The DSRM account, as a local administrator outside the domain, can be a hidden means of access to a DC. There is a persistence technique where an attacker sets the DSRM password and, combined with a specific registry setting (
DsrmAdminLogonBehavior), logs on over the network with the DSRM credentials. - A 4794 by an unexpected subject or at an unexpected time should be suspected as an attempt at DC persistence (a backdoor) and investigated at top priority.
Notes for log review
- It is normally a rare operation (DC build-out or occasional operational changes at most). Alert on unplanned DSRM password changes at high priority.
- Track signs of DSRM abuse together with registry changes on the DC (
DsrmAdminLogonBehavior, 4657) and logons to the DC.
Key fields
| Field | Meaning |
|---|---|
Subject\Account Name | The subject that changed the DSRM password |
Computer | The target domain controller |
Glossary
- DSRM — a special mode that boots a DC with AD offline for repair. It has a dedicated local administrator account that, abused, becomes a DC backdoor.