RestrictedAdminMode Registry Value Tampering - ProcCreation (28ac00d6-22d9-4a3c-927f-bbd770104573)
Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| RestrictedAdminMode Registry Value Tampering - ProcCreation (28ac00d6-22d9-4a3c-927f-bbd770104573) | Sigma-Rules | Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) | Attack Pattern | 1 |