This detection rule is designed to identify potential unauthorized changes to the Directory Services Restore Mode (DSRM) administrator password on Windows Domain Controllers. The DSRM account is crucial for managing directory services during recovery, making it a target for attackers seeking persistence within the system. When an attack is perpetrated, an event with ID 4794 will be triggered, indicating that the DSRM password has been altered. Recognizing this event is essential for detecting attempts to compromise the integrity of the domain controllers. Care must be taken to filter out false positives, such as those occurring during the initial installation of a domain controller, to ensure accurate incident detection.