Is my host protected against RestrictedAdmin?

This chain will stage a RestrictedAdmin binary from Operator and use it to enumerate and adjust the Restricted Admin mode.

Is my host protected against RestrictedAdmin?

Restricted Admin Mode was implemented in Windows 8.1 to prevent credentials from being exposed over RDP. While well-intended, this brought the ability to pass-the-hash to RDP.

While Restricted Admin Mode is not enabled by default on systems, we can enable it by setting the value of DisableRestrictedAdmin to 0 at HKEYLOCALMACHINE\System\CurrentControlSet\Control\Lsa. In order to do this remotely, we could use remote registry, however, this is not always enabled on systems (particularly workstations). Instead, we can use the StdRegProv WMI class to flip this value remotely. This approach was later expanded by @airzero24 in his WMIReg project.

RestrictedAdmin is available for download from GhostPack.

Testing

Execute Is my host protected against RestrictedAdmin? in Operator on each host in your environment to test if you are vulnerable.

This chain will stage a RestrictedAdmin binary from Operator and use it to enumerate and adjust the Restricted Admin mode.

Remediation

Microsoft has provided a list of steps to enable and require RestrictedAdmin on all outbound RDP requests. More information can be found here

Steps to require all outbound Remote Desktop requests to use RestrictedAdmin mode:

  • Open Group Policy Management Console: click Start, click Run, type gpmc.msc, and then click OK.
  • Select the group policy which best applies to the systems from which you will initiate Remote Desktop connections.
  • Edit the Group Policy and navigate to the following node:
Computer Configuration\Policies\Administrative Templates\System\Credentials Delegation
  • Configure the value of “Restrict delegation of credentials to remote servers” to Enabled.

This setting will take effect when Group Policy refreshes. To immediately refresh group policy, open an elevated command prompt and enter the following text:

Gpupdate.exe /target:computer /force

You should also restrict access to Group Policy by opening the following policy setting in your GPO:

  • Computer Configuration\Administrative Templates\System\Group Policy\Registry Policy Processing

Enable this policy setting and select the checkbox labeled Process even if the Group Policy objects have not changed. This will force Group Policy settings to be reapplied to target computers even when the actual settings within a GPO haven’t changed.

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org
See our open-source repositories: https://github.com/preludeorg

Join our community

Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg

Read, watch, and listen

Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg

Follow our team

David: https://twitter.com/privateducky
Alex: https://twitter.com/khyberspache
Octavia: https://twitter.com/VVX7
Waseem: https://twitter.com/gerbsec
Robin: https://twitter.com/bfuzzy1

Source: https://feed.prelude.org
Read more

Execute this chain

Download Operator (1.7.1)
Learn about Operator

TTPs

Enumerate Restricted Admin mode with RestrictedAdmin
Enable Restricted Admin mode using RestrictedAdmin