Disabled RestrictedAdminMode For RDS - ProcCreation

Rule Info

Name
Disabled RestrictedAdminMode For RDS - ProcCreation
Description
Detect activation of DisableRestrictedAdmin to desable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
Reference
https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md
Modified
None
Date
2023-01-13 00:00:00
Author
frack113
Tags
attack.defense_evasion DEMO attack.t1112
Id
28ac00d6-22d9-4a3c-927f-bbd770104573
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=28ac00d6-22d9-4a3c-927f-bbd770104573

Rule History

Author
Commit
Title
Date
Nasreddine Bencherchali
8707345be
fix: add related metadata
2023-01-13
frack113
23620bc8a
Update proc_creation_win_lsa_disablerestrictedadmin.yml
2023-01-13
frack113
1b11e29fe
Move rules
2023-01-13
frack113
e0434a3f2
Add redcannary rules
2023-01-13
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022