- Home
- Correlation Rule Library
- DSRM Account Compromise
DSRM Account Compromise
Rule added on 30th May, 2024In this page
Rule type:
Correlation
Rule description:
The Directory Service Restore Mode (DSRM) account is a local administrator account which is used when the domain controller (DC) is rebooted into the server recovery mode. This allows administrators to perform the repair or recovery tasks on Active Directory (AD) data.
If the DSRM account is compromised, attackers can use the account to logon to the DC over the network as a local administrator and manipulate, delete, or steal sensitive AD data. This could result in severe security breaches, including unauthorized access, data exfiltration and creation of backdoors for later access.
Attack chain scenario: Brute force -> DSRM account compromise -> Data exfiltration
Impact:
It can impact the organizations in the following ways:
- Data exfiltration
- Unauthorized access to AD data
- Disruption of IT deployment
Data source:
Windows > User Management
Required configuration: The rule is based on the Advanced Security Audit policy and Audit User Account Management.
Relevant MITRE ATT&CK techniques and tactics:
Tactic: TA0003- Persistence
Technique: T1098- Account Manipulation
Criteria:
This rule is triggered by Event ID 4794 (An attempt was made to set the Directory Services Restore Mode administrator password), which falls under the subcategory- Audit User Account Management.
When to enable this rule:
Security standards (NIST CSF 2.0):
Enabling this rule will help you meet the security standards' requirements listed below:
PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties
When this rule is triggered, you're notified of the potential compromise of the DSRM account. This enables you to review access and permissions, take corrective actions, and implement measures such as multi-factor authentication.
Known false positives: This event might be generated by administrators for legitimate reasons, such as for maintenance and recovery of Active Directory (AD) services, disaster recovery, deploying AD backdoors deliberately.
Next steps:
When this alert is triggered, the following measures can be implemented:
- Identification: Identify if the alert is a new incident or part of an existing incident.
- Analysis: Analyze the impact and extent of the compromise to comprehend the severity of the attack.
- Response: Respond promptly by initiating an automated workflow to cease the malicious process.
- Implement MFA: Implement MFA to provide an additional layer of security beyond password.
