Query Exchange

 View Only
Expand all | Collapse all

Mimikatz protections - Restricted Admin Mode

  • 1.  Mimikatz protections - Restricted Admin Mode

    Posted Jul 25, 2019 02:30 AM

    Description: This query looks to see if Restricted admin mode are disabled.

    What The Data Shows: If the key is not set to 1, Admin Outbound Creds are enabled. More can be found @ https://blogs.technet.microsoft.com/kfalde/2015/01/10/restricted-admin-mode-for-rdp-in-windows-7-2008-r2/

    SQL:

    SELECT name,type,
       CASE cnt
              WHEN 1 THEN "DISABLED"
              ELSE "ENABLED"
       END "LSA Restricted Admin Protection",
       datetime(mtime,"unixepoch","localtime") AS last_registry_write
    FROM (SELECT *,COUNT(*) AS cnt
    FROM registry
    WHERE Path='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\LSA\\DisableRestrictedAdmin' AND data = 0);

     


    #Community
    #ITHygiene
    #Windows


  • 2.  RE: Mimikatz protections - Restricted Admin Mode

    Broadcom Employee
    Posted Jul 30, 2019 05:51 PM

     you need to check for the value of the registry key  because if this key is present and set to 1 then it will disable Restricted Admin mode. See example below:

     

    SELECT name,type,
       CASE cnt
              WHEN 1 THEN "DISABLED"
              ELSE "ENABLED"
       END "LSA Restricted Admin Protection",
       datetime(mtime,"unixepoch","localtime") AS last_registry_write
    FROM (SELECT *,COUNT(*) AS cnt
    FROM registry
    WHERE Path='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\LSA\\DisableRestrictedAdmin' AND data = 0);

     



  • 3.  RE: Mimikatz protections - Restricted Admin Mode

    Posted Jul 30, 2019 06:58 PM

      updated as requested. Thanks for the tip. 



  • 4.  RE: Mimikatz protections - Restricted Admin Mode

    Broadcom Employee
    Posted Jul 30, 2019 06:59 PM