Enumerate Restricted Admin mode with RestrictedAdmin

/static/assets/windows-logo.svg
Restricted Admin Mode was implemented in Windows 8.1 to prevent credentials from being exposed over RDP. While well-intended, this brought the ability to pass-the-hash to RDP. This TTP uses RestricedAdmin to check the status of DisableRestrictedAdmin.
locked
View Command

To view this TTPs command, you must be logged in with a professional or enterprise license.

Login

Test this TTP

Download Operator (1.7.1)
Test this TTP using one of our Operator chains
Is my host protected against RestrictedAdmin?

2023-01-31

/static/assets/windows-logo.svg
Deploy RestrictedAdmin and disable Restricted Admin mode