EventPeeker
Analyze EVTX Logs Free →·Detection guides
Event ID 4794T1098

Event ID 4794 — DSRM Account Password Change

Event ID 4794 is logged when the Directory Services Restore Mode (DSRM) administrator password on a domain controller is changed. DSRM is an offline recovery mode — its password is rarely changed in normal operations. Any change should be treated as a critical alert.

MITRE ATT&CK

Technique

T1098 · Account Manipulation

Tactic

Persistence

View on attack.mitre.org →

Security Relevance

The DSRM account is a local administrator account on every domain controller, used only for offline AD recovery. Attackers who gain domain admin privileges sometimes change the DSRM password to create a persistent backdoor — even if their other accounts are removed, they can boot the DC into DSRM and regain full control. This technique is associated with advanced threat actors and ransomware groups.

Example Log Entry

Log Name: Security
Source:    Microsoft-Windows-Security-Auditing
Event ID:  4794
Level:     Information

An attempt was made to set the Directory Services Restore Mode administrator password.

Subject:
  Security ID:   CORP\DomainAdmin
  Account Name:  DomainAdmin
  Account Domain: CORP
  Logon ID:      0x3E7

Additional Information:
  Privileges: SeDebugPrivilege

Investigation Steps

  1. 1.Treat any occurrence as critical — DSRM password changes are almost never part of normal operations.
  2. 2.Identify who made the change (Subject account) and verify it was an authorized admin performing a planned task.
  3. 3.Check for other suspicious events around the same time: new accounts (4720), group changes (4728/4732), log clearing (1102).
  4. 4.Review recent privileged logons (4672) on the domain controller.
  5. 5.Check whether the domain controller was recently accessed remotely or from an unexpected host.
  6. 6.If unauthorized: assume the domain is compromised and initiate incident response immediately.

Check your own logs for this technique — upload an EVTX file for instant detection, no account required.

Upload EVTX →See sample

Remediation

  • Rotate the DSRM password on all domain controllers immediately using ntdsutil.
  • Audit all domain admin group memberships for unauthorized additions.
  • Review all domain controllers for signs of persistence (new scheduled tasks, services, accounts).
  • Reset credentials for any accounts used during the suspected compromise window.
  • Enable DSRM password change alerting via SIEM rule on Event ID 4794.
  • Consider deploying Privileged Access Workstations (PAWs) for all DC administration.

Related Event IDs

4672Special privileges assigned — confirms admin-level access
4720New user account created — may accompany persistence
4728User added to global group — check for unauthorized admin additions
1102Audit log cleared — attackers often clear logs after DSRM changes

Related Detection Guides

Privilege EscalationCredential DumpingAccount-Based PersistenceEvent ID 1102 — Audit Log Cleared

Analyze your Windows Event Logs

Upload an .evtx file from servers, domain controllers, or endpoints — get instant detections, MITRE mappings, and an AI-generated triage report.

Detect this technique in your logs →
← All detection guides·Analyze EVTX Logs Free →