Built off the open source project Osquery
Description: This query looks to see if Restricted admin mode are disabled.
What The Data Shows: If the key is not set to 1, Admin Outbound Creds are enabled. More can be found @ https://blogs.technet.microsoft.com/kfalde/2015/01/10/restricted-admin-mode-for-rdp-in-windows-7-200...
SQL:
SELECT name,type,
CASE cnt
WHEN 1 THEN "DISABLED"
ELSE "ENABLED"
END "LSA Restricted Admin Protection",
datetime(mtime,"unixepoch","localtime") AS last_registry_write
FROM (SELECT *,COUNT(*) AS cnt
FROM registry
WHERE Path='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\LSA\\DisableRestrictedAdmin' AND data = 0);
Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.