2023-01-13 17:21:21 +01:00
|
|
|
title: Disabled RestrictedAdminMode For RDS - ProcCreation
|
2023-01-13 12:11:38 +01:00
|
|
|
id: 28ac00d6-22d9-4a3c-927f-bbd770104573
|
|
|
|
|
related:
|
|
|
|
|
- id: d6ce7ebd-260b-4323-9768-a9631c8d4db2 # Registry
|
|
|
|
|
type: similar
|
|
|
|
|
status: experimental
|
|
|
|
|
description: |
|
|
|
|
|
Detect activation of DisableRestrictedAdmin to desable RestrictedAdmin mode.
|
|
|
|
|
RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.
|
|
|
|
|
This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
|
|
|
|
|
references:
|
|
|
|
|
- https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md
|
|
|
|
|
- https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx
|
|
|
|
|
author: frack113
|
|
|
|
|
date: 2023/01/13
|
|
|
|
|
tags:
|
|
|
|
|
- attack.defense_evasion
|
|
|
|
|
- attack.t1112
|
|
|
|
|
logsource:
|
|
|
|
|
product: windows
|
|
|
|
|
category: process_creation
|
|
|
|
|
detection:
|
|
|
|
|
selection:
|
|
|
|
|
CommandLine|contains|all:
|
2023-01-13 17:21:21 +01:00
|
|
|
- '\System\CurrentControlSet\Control\Lsa\'
|
2023-01-13 12:11:38 +01:00
|
|
|
- 'DisableRestrictedAdmin'
|
2023-01-13 12:31:28 +01:00
|
|
|
- ' 1'
|
2023-01-13 12:11:38 +01:00
|
|
|
condition: selection
|
|
|
|
|
falsepositives:
|
|
|
|
|
- Unknown
|
|
|
|
|
level: high
|
