In this article:  

• Objective

• Prerequisites

• Steps to follow

• Validation and confirmation

• Tips

• Related topics and articles

Objective  

This article explains how to use ADAudit Plus to detect when the Directory Services Restore Mode (DSRM) password is changed, understand the security implications and immediate remediation steps, and implement long-term prevention strategies.

Prerequisites  

• You must have administrator access to the ADAudit Plus web console.

• The necessary audit policy to generate Event ID 4794 (An attempt was made to set the Directory Services Restore Mode administrator password) must be enabled on all Domain Controllers. This requires enabling Policy Change > Audit Authorization Policy Change.

Steps to follow  

The process for handling a DSRM Password Change involves detection, immediate remediation, and prevention.

Part 1: Detecting the event  

1. Navigate to the Active Directory Tab > Attack Surface Analyzer > Threats > DSRM Password change.

2. This report shows all detections of the DSRM password being reset on a Domain Controller.

Part 2: Understanding the detection criteria  

ADAudit Plus detects this event based on the following pattern:

• Description: The Directory Services Restore Mode (DSRM) password was reset. The DSRM account is a powerful local administrator on a Domain Controller. Attackers with high privileges may change this password to create a persistent backdoor.

• Detection Logic:

• Event code equals 4794.

• Subject Account Name does not end with $.

Part 3: Immediate remediation  

An unauthorized DSRM password change is a high-privilege activity and should be treated as a critical security incident.

1. Verify Legitimacy: Immediately confirm with your Active Directory administration team if the DSRM password change was an authorized and scheduled maintenance activity.

2. Disable the Compromised Account: If the change was unauthorized, the DSRM Password Change report in ADAudit Plus will show the Subject Account Name that performed the action. This account has Domain Admin-equivalent privileges and must be disabled immediately for investigation.

3. Reset the DSRM Password: Immediately reset the DSRM password on the affected Domain Controller (and preferably all DCs) to a new, complex password known only to authorized personnel and store it securely.

4. Investigate the Initial Compromise: An attacker who can change the DSRM password already has significant control over your environment. A full forensic investigation is required to determine how they gained this level of access and what other actions they may have performed.

Validation and confirmation  

• After remediation, monitor the DSRM Password Change report in ADAudit Plus to ensure no new unauthorized changes are made.

• The new, authorized DSRM password should be verified and securely documented in your password vault.

• The investigation should confirm that the attacker's initial access vector has been identified and closed.

Tips  

The following best practices are critical for preventing the abuse of the DSRM account.

Principle of Least Privilege (PoLP)  

• Restrict Domain Admin Rights: Strictly limit membership in privileged groups like Domain Admins and Enterprise Admins, as these are the accounts capable of changing the DSRM password.

Secure Privileged Accounts  

• Implement a Tiered Access Model: Prevent privileged accounts from being exposed on less secure systems by ensuring they are only used on servers of an equivalent or higher security tier (e.g., Tier 0 accounts on Tier 0 assets like DCs).

• Use Privileged Access Management (PAM): Implement PAM solutions to control and monitor all administrative actions on Domain Controllers.

Monitoring and Policy  

• Treat All DSRM Changes as Alerts: Any DSRM password change (Event ID 4794) should be treated as a high-priority security alert. Legitimate changes are rare and should always follow a documented change management process.

• Synchronize DSRM Passwords: Ensure DSRM passwords are synchronized across all Domain Controllers and are included in your secure password vaulting and rotation policies.

Related topics and articles  

• How to configure Attack Surface Analyzer in ADAudit Plus