Nasreddine Bencherchali
31 lines
1.2 KiB
YAML
31 lines
1.2 KiB
YAML
title: Disabled RestrictedAdminMode For RDS
|
|
id: d6ce7ebd-260b-4323-9768-a9631c8d4db2
|
|
related:
|
|
- id: 28ac00d6-22d9-4a3c-927f-bbd770104573 # process_creation
|
|
type: similar
|
|
status: experimental
|
|
description: |
|
|
Detect activation of DisableRestrictedAdmin to desable RestrictedAdmin mode.
|
|
RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.
|
|
This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
|
|
references:
|
|
- https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md
|
|
- https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx
|
|
author: frack113
|
|
date: 2023/01/13
|
|
tags:
|
|
- attack.defense_evasion
|
|
- attack.t1112
|
|
logsource:
|
|
product: windows
|
|
category: registry_set
|
|
detection:
|
|
selection:
|
|
EventType: SetValue
|
|
TargetObject|endswith: 'System\CurrentControlSet\Control\Lsa\DisableRestrictedAdmin'
|
|
Details: 'DWORD (0x00000001)'
|
|
condition: selection
|
|
falsepositives:
|
|
- Unknown
|
|
level: high
|