Disabled RestrictedAdminMode For RDS

Rule Info

Name
Disabled RestrictedAdminMode For RDS
Description
Detect activation of DisableRestrictedAdmin to desable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
Reference
https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md
Modified
None
Date
2023-01-13 00:00:00
Author
frack113
Tags
attack.defense_evasion DEMO attack.t1112
Id
d6ce7ebd-260b-4323-9768-a9631c8d4db2
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=d6ce7ebd-260b-4323-9768-a9631c8d4db2

Rule History

Author
Commit
Title
Date
Nasreddine Bencherchali
8707345be
fix: add related metadata
2023-01-13
frack113
1b11e29fe
Move rules
2023-01-13
frack113
e0434a3f2
Add redcannary rules
2023-01-13
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022