curben
/
blog
mirror of https://gitlab.com/curben/blog
1
0
Fork 0
Code Issues Releases Wiki Activity

page(restricted-admin): registry change detection

This commit is contained in:
Ming Di Leom 2025-08-24 10:54:47 +00:00
parent c117b84a68
commit 24f65e8425
No known key found for this signature in database
GPG Key ID: 32D3E28E96A695E8
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
source/threat-hunting/restricted-admin-mode-detection.md
View File

@ -2,6 +2,7 @@
title: Restricted Admin Mode Detection title: Restricted Admin Mode Detection
layout: page layout: page
date: 2025-07-27 date: 2025-07-27
updated: 2025-08-24
--- ---
Description: Restricted Admin Mode is commonly abused by Gootloader to use collected hashes to login instead of a password. Description: Restricted Admin Mode is commonly abused by Gootloader to use collected hashes to login instead of a password.
@ -15,3 +16,8 @@ SPL:
| lookup ad_users sAMAccountName AS user OUTPUT displayName AS Name, mail AS Email | lookup ad_users sAMAccountName AS user OUTPUT displayName AS Name, mail AS Email
| table Time, index, host, EventCode, EventDescription, process, user, Name, Email | table Time, index, host, EventCode, EventDescription, process, user, Name, Email
``` ```
```spl
| tstats summariesonly=true allow_old_summaries=true fillnull_value="unknown" count FROM datamodel=Endpoint.Registry WHERE index="windows" Registry.registry_path="*\\CurrentControlSet\\Control\\Lsa*" Registry.registry_value_name="DisableRestrictedAdmin" BY Registry.dest, Registry.registry_path, Registry.registry_value_name, Registry.registry_value_data, Registry.action, Registry.process_guid, Registry.process_id, Registry.user
| rename Registry.* AS *
```