This rule detects attempts to reset the Directory Services Restore Mode (DSRM) administrator password on a Domain Controller by leveraging Windows Event Log Security code 4794. The detection focuses on identifying events that signify a reset of the DSRM password, which can allow an attacker to maintain administrative access similar to that of a local administrator account. Such access presents a significant risk as it can provide persistence for attackers, allowing them to manipulate the Domain Controller—an essential asset in Active Directory environments. The rule requires the Advanced Security Audit Policy 'Audit User Account Management' to be enabled to capture relevant events. Known false positives may arise from legitimate administrative actions such as disaster recovery or password resets due to forgotten credentials. As a result, it is crucial to implement this rule with context to determine the legitimacy of each event.