Enumerate Restricted Admin mode with RestrictedAdmin

Restricted Admin Mode was implemented in Windows 8.1 to prevent credentials from being exposed over RDP. While well-intended, this brought the ability to pass-the-hash to RDP. This TTP uses RestricedAdmin to check the status of DisableRestrictedAdmin.
View Command

To view this TTPs command, you must be logged in with a professional or enterprise license.


Test this TTP

Download Operator (1.7.1)
Test this TTP using one of our Operator chains
Is my host protected against RestrictedAdmin?


Deploy RestrictedAdmin and disable Restricted Admin mode