![Back to home Valhalla Logo](/static/valhalla-logo.png)
Rule Info
Name
RestrictedAdminMode Registry Value Tampering - ProcCreation
Author
frack113
Description
Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode.
RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.
This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
Date
2023-01-13 00:00:00
Modified
2023-12-15 00:00:00
Id
28ac00d6-22d9-4a3c-927f-bbd770104573
Tags
attack.defense_evasion attack.t1112 DEMO
Type
Community Rule
Link to Public Repo
Rule History
Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #4631 from @nasbench - add rules related to CISA `aa23-347a` advisory and other updates
2023-12-18
github-actions[bot]
Merge PR #4611 from @nasbench - Promote Older Rules Status From `experimental` To `test`
2023-12-01