From 4a4fd153d8bb8abdec2d94dd0a9985ea1a6fd28f Mon Sep 17 00:00:00 2001
From: devapriya16 <90361871+devapriya16@users.noreply.github.com>
Date: Fri, 30 Dec 2022 10:02:04 -0600
Subject: [PATCH] Update T1112.yaml (#2262)

Enabling Restricted Admin Mode via Command_Prompt, enables an attacker to perform a pass-the-hash attack using RDP

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1112/T1112.yaml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/atomics/T1112/T1112.yaml b/atomics/T1112/T1112.yaml
index 0703380a..6abed794 100644
--- a/atomics/T1112/T1112.yaml
+++ b/atomics/T1112/T1112.yaml
@@ -692,3 +692,15 @@ atomic_tests:
       reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun /v art2 /f >nul 2>&1
     name: command_prompt
     elevation_required: true
+- name: Enabling Restricted Admin Mode via Command_Prompt
+  description: |
+    Enabling Restricted Admin Mode via Command_Prompt,enables an attacker to perform a pass-the-hash attack using RDP
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "hklm\system\currentcontrolset\control\lsa" /f /v DisableRestrictedAdmin /t REG_DWORD /d 0
+    cleanup_command: |
+      reg delete "hklm\system\currentcontrolset\control\lsa" /f /v DisableRestrictedAdmin >nul 2>&1
+    name: command_prompt
+    elevation_required: true