Enabling restricted admin mode
Detects the registry modification to enable restricted admin mode using reg.exe
Sigma rule (View on GitHub)
1title: Enabling restricted admin mode
2id: 0e6e820b-f829-472e-9e34-930939778187
3status: Experimental
4description: Detects the registry modification to enable restricted admin mode using reg.exe
5author: \@Kostastsale, \@TheDFIRReport
6references:
7 - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
8date: 2022/05/09
9logsource:
10 product: windows
11 category: process_creation
12detection:
13 selection1:
14 Image|endswith:
15 - '\powershell.exe'
16 - '\reg.exe'
17 CommandLine|contains|all:
18 - '/add'
19 - 'DisableRestrictedAdmin'
20 - 'hklm\system\currentcontrolset\control\lsa'
21 selection2:
22 CommandLine|contains:
23 - '-Value 0'
24 - '/d 0'
25 condition: selection1 and selection2
26falsepositives:
27 - Uknown
28level: high
29tags:
30 - attack.defense_evasion
31 - attack.t1562.001```
References
-
In early February 2022, we witnessed an intrusion employing Gootloader (aka GootKit) as the initial access vector. The intrusion lasted two days and comprised discovery, persistence, lateral moveme…
Read More
Related rules
- Deleting Windows Defender scheduled tasks
- PowerShell AMSI Bypass Pattern
- Using powershell specific download cradle OneLiner
- Custom Cobalt Strike Command Execution
- Deleting Windows Defender scheduled tasks