security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update T1112.yaml (#2262)

Browse Source 
Enabling Restricted Admin Mode via Command_Prompt, enables an attacker to perform a pass-the-hash attack using RDP

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
devapriya16
2022-12-30 10:02:04 -06:00
committed by GitHub
parent 08579bb5be
commit 4a4fd153d8
1 changed files with 12 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1112/T1112.yaml
+12
View File
@@ -692,3 +692,15 @@ atomic_tests:
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun /v art2 /f >nul 2>&1
name: command_prompt
elevation_required: true
- name: Enabling Restricted Admin Mode via Command_Prompt
description: |
Enabling Restricted Admin Mode via Command_Prompt,enables an attacker to perform a pass-the-hash attack using RDP
supported_platforms:
- windows
executor:
command: |
reg add "hklm\system\currentcontrolset\control\lsa" /f /v DisableRestrictedAdmin /t REG_DWORD /d 0
cleanup_command: |
reg delete "hklm\system\currentcontrolset\control\lsa" /f /v DisableRestrictedAdmin >nul 2>&1
name: command_prompt
elevation_required: true