Enabling restricted admin mode
Detects the registry modification to enable restricted admin mode using reg.exe
Sigma rule (View on GitHub)
1title: Enabling restricted admin mode
2id: 8e9de57d-7c2e-4ce7-8f5d-56e9f1de475f
3status: experimental
4description: Detects the registry modification to enable restricted admin mode using reg.exe
5author: 'Kostastsale, TheDFIRReport'
6references:
7 - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
8date: 2022/05/09
9modified: 2023/01/08
10logsource:
11 product: windows
12 category: process_creation
13detection:
14 selection1:
15 Image|endswith:
16 - '\powershell.exe'
17 - '\reg.exe'
18 CommandLine|contains|all:
19 - '/add'
20 - 'DisableRestrictedAdmin'
21 - 'hklm\system\currentcontrolset\control\lsa'
22 selection2:
23 CommandLine|contains:
24 - '-Value 0'
25 - '/d 0'
26 condition: selection1 and selection2
27falsepositives:
28 - Unknown
29level: high
30tags:
31 - attack.defense_evasion
32 - attack.t1562.001
References
-
In early February 2022, we witnessed an intrusion employing Gootloader (aka GootKit) as the initial access vector. The intrusion lasted two days and comprised discovery, persistence, lateral moveme…
Read More
Related rules
- AWS Macie Evasion
- Powershell MS Defender Tampering - ScriptBlockLogging
- Tampering of Windows Defender with Reg
- Abusing PowerShell to Disable Defender Components
- Abusing PowerShell to Modify Defender Components