RestrictedAdminMode Registry Value Tampering - ProcCreation

Rule Info

Name
RestrictedAdminMode Registry Value Tampering - ProcCreation
Author
frack113
Description
Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
Reference
https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md
Date
2023-01-13 00:00:00
Modified
2023-12-15 00:00:00
Id
28ac00d6-22d9-4a3c-927f-bbd770104573
Tags
attack.defense_evasion attack.t1112 DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=28ac00d6-22d9-4a3c-927f-bbd770104573

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #4631 from @nasbench - add rules related to CISA `aa23-347a` advisory and other updates
2023-12-18
412edd1e1
github-actions[bot]
Merge PR #4611 from @nasbench - Promote Older Rules Status From `experimental` To `test`
2023-12-01
ae960f088
Wagga
Merge PR #4524 from @wagga40 - Fix Typos In Metadata Fields
2023-10-28
8bf328219
Nasreddine Bencherchali
feat: multiple fixes and updates
2023-02-21
63888f7a5
Nasreddine Bencherchali
fix: add related metadata
2023-01-13
8707345be
frack113
Update proc_creation_win_lsa_disablerestrictedadmin.yml
2023-01-13
23620bc8a
frack113
Move rules
2023-01-13
1b11e29fe
frack113
Add redcannary rules
2023-01-13
e0434a3f2
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022