Password Change on Directory Service Restore Mode (DSRM) Account (53ad8e36-f573-46bf-97e4-15ba5bf4bb51)
Detects potential attempts made to set the Directory Services Restore Mode administrator password. The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password in order to obtain persistence.
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) | Attack Pattern | Password Change on Directory Service Restore Mode (DSRM) Account (53ad8e36-f573-46bf-97e4-15ba5bf4bb51) | Sigma-Rules | 1 |