title: Disabled RestrictedAdminMode For RDS - ProcCreation
id: 28ac00d6-22d9-4a3c-927f-bbd770104573
related:
    - id: d6ce7ebd-260b-4323-9768-a9631c8d4db2 # Registry
      type: similar
status: experimental
description: |
    Detect activation of DisableRestrictedAdmin to desable RestrictedAdmin mode.
    RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.
    This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md
    - https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx
author: frack113
date: 2023/01/13
tags:
    - attack.defense_evasion
    - attack.t1112
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains|all:
            - '\System\CurrentControlSet\Control\Lsa\'
            - 'DisableRestrictedAdmin'
            - ' 1'
    condition: selection
falsepositives:
    - Unknown
level: high