Disabled RestrictedAdminMode For RDS - ProcCreation

Rule Info

Name
Disabled RestrictedAdminMode For RDS - ProcCreation
Description
Detect activation of DisableRestrictedAdmin to desable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
Modified
None
Date
2023-01-13 00:00:00
Author
frack113
Tags
attack.defense_evasion DEMO attack.t1112
Id
28ac00d6-22d9-4a3c-927f-bbd770104573
Type
Community Rule

Rule History

Author
Commit
Title
Date
Nasreddine Bencherchali
fix: add related metadata
2023-01-13
frack113
Update proc_creation_win_lsa_disablerestrictedadmin.yml
2023-01-13
frack113
Move rules
2023-01-13
frack113
Add redcannary rules
2023-01-13