Enabling restricted admin mode
Detects the registry modification to enable restricted admin mode using reg.exe
Sigma rule (View on GitHub)
1title: Enabling restricted admin mode
2id: 8e9de57d-7c2e-4ce7-8f5d-56e9f1de475f
3status: experimental
4description: Detects the registry modification to enable restricted admin mode using reg.exe
5author: 'Kostastsale, TheDFIRReport'
6references:
7 - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
8date: 2022/05/09
9modified: 2023/01/08
10logsource:
11 product: windows
12 category: process_creation
13detection:
14 selection1:
15 Image|endswith:
16 - '\powershell.exe'
17 - '\reg.exe'
18 CommandLine|contains|all:
19 - '/add'
20 - 'DisableRestrictedAdmin'
21 - 'hklm\system\currentcontrolset\control\lsa'
22 selection2:
23 CommandLine|contains:
24 - '-Value 0'
25 - '/d 0'
26 condition: selection1 and selection2
27falsepositives:
28 - Unknown
29level: high
30tags:
31 - attack.defense_evasion
32 - attack.t1562.001
References
-
In early February 2022, we witnessed an intrusion employing Gootloader (aka GootKit) as the initial access vector.The intrusion lasted two days and comprised discovery, persistence, lateral movement, collection, defense evasion, credential access and command and control activity.
Read More
Related rules
- Tamper Windows Defender Remove-MpPreference
- Sysinternals PsSuspend Suspicious Execution
- AWS Config Disabling Channel/Recorder
- Cisco Disabling Logging
- NetNTLM Downgrade Attack - Registry