page(restricted-admin): registry change detection

source/threat-hunting/restricted-admin-mode-detection.md

@@ -2,6 +2,7 @@
 title: Restricted Admin Mode Detection
 layout: page
 date: 2025-07-27
+updated: 2025-08-24
 ---
 
 Description: Restricted Admin Mode is commonly abused by Gootloader to use collected hashes to login instead of a password.
@@ -15,3 +16,8 @@ SPL:
 | lookup ad_users sAMAccountName AS user OUTPUT displayName AS Name, mail AS Email
 | table Time, index, host, EventCode, EventDescription, process, user, Name, Email
 ```
+
+```spl
+| tstats summariesonly=true allow_old_summaries=true fillnull_value="unknown" count FROM datamodel=Endpoint.Registry WHERE index="windows" Registry.registry_path="*\\CurrentControlSet\\Control\\Lsa*" Registry.registry_value_name="DisableRestrictedAdmin" BY Registry.dest, Registry.registry_path, Registry.registry_value_name, Registry.registry_value_data, Registry.action, Registry.process_guid, Registry.process_id, Registry.user
+| rename Registry.* AS *
+```