Enabling restricted admin mode
Detects the registry modification to enable restricted admin mode using reg.exe
Sigma rule (View on GitHub)
1title: Enabling restricted admin mode
2id: 8e9de57d-7c2e-4ce7-8f5d-56e9f1de475f
3status: experimental
4description: Detects the registry modification to enable restricted admin mode using reg.exe
5author: 'Kostastsale, TheDFIRReport'
6references:
7 - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
8date: 2022-05-09
9modified: 2023-01-08
10logsource:
11 product: windows
12 category: process_creation
13detection:
14 selection:
15 Image|endswith:
16 - '\powershell.exe'
17 - '\reg.exe'
18 CommandLine|contains|all:
19 - '/add'
20 - 'DisableRestrictedAdmin'
21 - 'hklm\system\currentcontrolset\control\lsa'
22 CommandLine|contains:
23 - '-Value 0'
24 - '/d 0'
25 condition: selection
26falsepositives:
27 - Unknown
28level: high
29tags:
30 - attack.defense-evasion
31 - attack.t1562.001
References
-
In early February 2022, we witnessed an intrusion employing Gootloader (aka GootKit) as the initial access vector. The intrusion lasted two days and comprised discovery, persistence, lateral moveme…
Read More
Related rules
- Custom Cobalt Strike Command Execution
- Deleting Windows Defender scheduled tasks
- Sysmon Driver Altitude Change
- Windows Defender Service Disabled - Registry
- Bitbucket Audit Log Configuration Updated