Disabled RestrictedAdminMode For RDS - ProcCreation

calendar Dec 1, 2023 · attack.defense_evasion attack.t1112  ·
Share on: linkedin copy

Detect activation of DisableRestrictedAdmin to disable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise

Sigma rule (View on GitHub)

 1title: Disabled RestrictedAdminMode For RDS - ProcCreation
 2id: 28ac00d6-22d9-4a3c-927f-bbd770104573
 3related:
 4    - id: d6ce7ebd-260b-4323-9768-a9631c8d4db2 # Registry
 5      type: similar
 6status: test
 7description: |
 8    Detect activation of DisableRestrictedAdmin to disable RestrictedAdmin mode.
 9    RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.
10    This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise    
11references:
12    - https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md
13    - https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx
14author: frack113
15date: 2023/01/13
16tags:
17    - attack.defense_evasion
18    - attack.t1112
19logsource:
20    product: windows
21    category: process_creation
22detection:
23    selection:
24        CommandLine|contains|all:
25            - '\System\CurrentControlSet\Control\Lsa\'
26            - 'DisableRestrictedAdmin'
27            - ' 1'
28    condition: selection
29falsepositives:
30    - Unknown
31level: high

References

Related rules

to-top