Enabling restricted admin mode
Detects the registry modification to enable restricted admin mode using reg.exe
Sigma rule (View on GitHub)
1title: Enabling restricted admin mode
2status: Experimental
3description: Detects the registry modification to enable restricted admin mode using reg.exe
4author: \@Kostastsale, \@TheDFIRReport
5references:
6 - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
7date: 2022/05/09
8logsource:
9 product: windows
10 category: process_creation
11detection:
12 selection1:
13 Image|endswith:
14 - '\powershell.exe'
15 - '\reg.exe'
16 CommandLine|contains|all:
17 - '/add'
18 - 'DisableRestrictedAdmin'
19 - 'hklm\system\currentcontrolset\control\lsa'
20 selection2:
21 CommandLine|contains:
22 - '-Value 0'
23 - '/d 0'
24 condition: selection1 and selection2
25falsepositives:
26 - Uknown
27level: high
28tags:
29 - attack.defense_evasion
30 - attack.t1562.001```