Enabling restricted admin mode

May 9, 2022 · attack.defense_evasion attack.t1562.001 ·

Detects the registry modification to enable restricted admin mode using reg.exe

Sigma rule (View on GitHub)

 1title: Enabling restricted admin mode
 2status: Experimental
 3description: Detects the registry modification to enable restricted admin mode using reg.exe
 4author: \@Kostastsale, \@TheDFIRReport
 5references: 
 6  - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
 7date: 2022/05/09
 8logsource:
 9  product: windows
10  category: process_creation
11detection:
12  selection1:
13    Image|endswith: 
14      - '\powershell.exe'
15      - '\reg.exe'
16    CommandLine|contains|all:
17      - '/add'
18      - 'DisableRestrictedAdmin'
19      - 'hklm\system\currentcontrolset\control\lsa'
20  selection2:
21    CommandLine|contains:
22      - '-Value 0'
23      - '/d 0'
24  condition: selection1 and selection2
25falsepositives:
26  - Uknown
27level: high
28tags:
29  - attack.defense_evasion
30  - attack.t1562.001```

References

SEO Poisoning - A Gootloader Story

In early February 2022, we witnessed an intrusion employing Gootloader (aka GootKit) as the initial access vector.The intrusion lasted two days and comprised discovery, persistence, lateral movement, collection, defense evasion, credential access and command and control activity.

Read More

Enabling restricted admin mode

Sigma rule (View on GitHub)

References

SEO Poisoning - A Gootloader Story

Related rules