EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 4794Audit SuccessSecurityT1098

Windows Event ID 4794DSRM Admin Password Set

Logged on a domain controller whenever the Directory Services Restore Mode (DSRM) administrator password is set or changed. DSRM is an offline recovery mode — its password is set once at DC promotion and almost never changed in normal operations.

MITRE ATT&CK

Technique

T1098 · Account Manipulation

Tactic

Persistence

View on attack.mitre.org →

Why It Matters

The DSRM account is a local administrator account on every domain controller, designed for offline AD recovery. Critically, it is independent of Active Directory itself — it works even when AD services are stopped or the DC is booted into Directory Services Restore Mode. Attackers who reach Domain Admin level use Event 4794 to establish a DSRM backdoor: by setting a known DSRM password and enabling network logon for DSRM (registry: DsrmAdminLogonBehavior = 2), they gain a persistent local admin credential on the DC that survives password resets of all domain accounts, AD object cleanups, and even domain rebuilds on the same hardware. This technique is used by APT groups specifically because it is resilient against standard incident response. There is no legitimate reason to change the DSRM password outside of a documented DC rebuild or disaster recovery drill — any 4794 outside that context is a confirmed incident.

Key Fields

Subject Account NameThe account that changed the DSRM password — should only ever be a known Domain Admin performing documented DR maintenance. Any other actor is an immediate critical escalation
Subject Logon IDCorrelate with Event 4624 to identify the session — check logon type and source IP. An interactive (Type 2) logon from an unexpected host suggests the attacker already has DC access
Target Account NameThe domain controller where the DSRM password was changed — if this is a production DC rather than a test DC, treat this as a confirmed incident

Investigation Tips

  1. 1.Zero-tolerance policy: any 4794 not matching a documented DC build or DR test procedure is a critical incident. Immediately verify with the responsible team whether this was authorized — do not assume it was.
  2. 2.Check DsrmAdminLogonBehavior registry value (HKLM\System\CurrentControlSet\Control\Lsa\DsrmAdminLogonBehavior): value 2 enables DSRM for network logon even when AD is online — a value of 2 set alongside a 4794 means the attacker has created a fully weaponized network-accessible backdoor on the DC.
  3. 3.Correlate with the DC compromise chain: 4794 typically follows credential dumping (4663 on LSASS), log clearing (1102), or mass privilege grants (4728). Check 60–120 minutes of events before the 4794 on the same DC.
  4. 4.Check 4624 for DSRM account logons: if the attacker immediately tests their backdoor, look for logons with Account Name matching the local DC Administrator account from unexpected source IPs shortly after the 4794.
  5. 5.Incident response: changing the domain account passwords does NOT invalidate the DSRM backdoor. To remediate: (1) reset DSRM password to a unique random value via ntdsutil, (2) set DsrmAdminLogonBehavior back to 0, (3) audit all DC administrative access during the compromise window.

Detection Logic (KQL)

Microsoft Sentinel (KQL) — any 4794 event is a high-fidelity alert; no threshold needed. The second query checks whether DSRM was also enabled for network logon via registry.

// Any DSRM password change — alert immediately, no threshold
SecurityEvent
| where EventID == 4794
| project TimeGenerated, SubjectAccount, TargetAccount,
    Computer, SubjectLogonId
| extend Alert = "DSRM password changed — verify against DR documentation"
| sort by TimeGenerated desc

// Correlate with log clearing (DC compromise pattern)
SecurityEvent
| where EventID in (4794, 1102)
| summarize Events=make_list(EventID), Times=make_list(TimeGenerated) by Computer
| where Events has "4794" and Events has "1102"
| extend Alert = "DSRM change + log clear on same DC = high-confidence compromise"

Related Event IDs

1102Audit log cleared — attackers clear logs after establishing DC backdoors
4672Special privileges — the Domain Admin session that set the DSRM password
4624Successful logon — look for DSRM account logon tests shortly after 4794
4728Member added to privileged group — may precede DSRM backdoor setup
4663Object access — LSASS credential dump often precedes DC backdoor establishment

Full Detection Guide Available

This event ID has a full detection guide with investigation steps, remediation advice, and example log entries.

View full guide for Event ID 4794

See Event ID 4794 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects dsrm admin password set patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →