The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Mimikatz protections - Restricted Admin Mode

Description: This query looks to see if Restricted admin mode are disabled.

What The Data Shows: If the key is not set to 1, Admin Outbound Creds are enabled. More can be found @ https://blogs.technet.microsoft.com/kfalde/2015/01/10/restricted-admin-mode-for-rdp-in-windows-7-200...

SQL:

SELECT name,type,
   CASE cnt
          WHEN 1 THEN "DISABLED"
          ELSE "ENABLED"
   END "LSA Restricted Admin Protection",
   datetime(mtime,"unixepoch","localtime") AS last_registry_write
FROM (SELECT *,COUNT(*) AS cnt
FROM registry
WHERE Path='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\LSA\\DisableRestrictedAdmin' AND data = 0);

 

3 Comments
jnelson
Carbon Black Employee
Status changed to: Under Review

@ksnihur you need to check for the value of the registry key  because if this key is present and set to 1 then it will disable Restricted Admin mode. See example below:

 

SELECT name,type,
   CASE cnt
          WHEN 1 THEN "DISABLED"
          ELSE "ENABLED"
   END "LSA Restricted Admin Protection",
   datetime(mtime,"unixepoch","localtime") AS last_registry_write
FROM (SELECT *,COUNT(*) AS cnt
FROM registry
WHERE Path='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\LSA\\DisableRestrictedAdmin' AND data = 0);

 

ksnihur
Contributor

@jnelson  updated as requested. Thanks for the tip. 

jnelson
Carbon Black Employee
Status changed to: Approved