← Back to Explore
sigmahighHunting
RestrictedAdminMode Registry Value Tampering
Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
Detection Query
selection:
TargetObject|endswith: System\CurrentControlSet\Control\Lsa\DisableRestrictedAdmin
condition: selection
Author
frack113
Created
2023-01-13
Data Sources
windowsRegistry Set Events
Platforms
windows
References
Tags
attack.persistenceattack.defense-evasionattack.t1112
Raw Content
title: RestrictedAdminMode Registry Value Tampering
id: d6ce7ebd-260b-4323-9768-a9631c8d4db2
related:
- id: 28ac00d6-22d9-4a3c-927f-bbd770104573 # process_creation
type: similar
status: test
description: |
Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode.
RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.
This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
references:
- https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md
- https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx
author: frack113
date: 2023-01-13
modified: 2024-08-23
tags:
- attack.persistence
- attack.defense-evasion
- attack.t1112
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|endswith: 'System\CurrentControlSet\Control\Lsa\DisableRestrictedAdmin'
condition: selection
falsepositives:
- Unknown
level: high