Back to BlogWhy are Threat Actors enabling Windows Restricted Admin mode?
RestrictedAdmin mode for RDP was first introduced to Windows 8.1 and Windows Server 2012 R2. Restricted Admin mode has been back ported to Windows 7 and Windows Server 2008, however, it was later disabled by default on newer Windows systems. While Restricted Admin mode was created to help protect administrative account credentials against Pass-the-Hash attacks, ironically, the security control resulted in a new Pass-the-Hash vector.
The intention behind Restricted Admin mode was to mitigate the risk of exposing administrative credentials when connecting to potentially compromised machines. Normally, when you logon via RDP using an interactive session (username and password), a copy of your credentials is stored in the Local Security Authority Subsystem Service (LSASS) on the destination host.
When Restricted Admin mode is enabled, the RDP server uses network logon instead of interactive logon. This means a user with local administrator privileges on a system with Restricted Admin mode enabled authenticates with a NT hash or Kerberos ticket, instead of with a password. While the password isn’t cached, these NT hashes are and can be collected and used to impersonate users.
Restricted Admin Mode Adversarial Techniques
Because Restricted Admin mode is typically disabled by default, threat actors have been observed enabling Restricted Admin mode in order dump hashed user credentials stored in memory. Restricted Admin mode may also be enabled in order to bypass MFA solutions for RDP. [7] [2]
Once a threat actor has access to a compromised endpoint, hashed credentials can be trivially extracted from the Security Account Manager (SAM) registry file or dumped from LSASS using open-source offensive security tools. For instance, hashes can be dumped from an open session to a compromised host using the hashdump command in the meterpreter tool:
or dump NT hashes from LSASS by using mimikatz:
After the hash is collected, the NT hash of an account in an administrative group can be used to move laterally or issue commands remotely. For example, a threat actor could use xfreerdp [9]:
xfreerdp /v:IP_ADDRESS /u:USERNAME /pth:NT_HASHor mimikatz to perform a pass-the-hash attack to move laterally via RDP using a host with Restricted Admin mode enabled. [6]
Here are a few examples of recent intrusions where an attacker enabled Restricted Admin mode by disabling the DisableRestrictedAdmin registry key. The DFIR Report published a write-up on an intrusion from February 2023 weaponizing Restricted Admin mode. [3]
reg add "hklm\system\currentcontrolset\control\lsa" /f /v DisableRestrictedAdmin /t REG_DWORD /d 0CISA has multiple cybersecurity advisories reporting Restricted Admin mode similarly weaponized. These include groups such as Russian Foreign Intelligence Service (SVR) in December 2023 [4] and multiple nation-state threat actors in September 2023 [5].
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d "0" /fpowershell New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DisableRestrictedAdmin" -Value "0" -PropertyType DWORD -ForceDefensive Security Controls and Blumira Detection
Remote Admin mode is generally not recommended for most workstations and is disabled by default. However, there are unique circumstances where Microsoft does recommend enabling Remote Admin, such as specific helpdesk support scenarios:
For helpdesk support scenarios in which personnel require administrative access via Remote Desktop sessions, it isn’t recommended the use of Remote Credential Guard. If an RDP session is initiated to an already compromised client, the attacker could use that open channel to create sessions on the user’s behalf. The attacker can access any of the user’s resources for a limited time after the session disconnects.
We recommend using Restricted Admin mode option instead. For helpdesk support scenarios, RDP connections should only be initiated using the /RestrictedAdmin switch. This helps to ensure that credentials and other user resources aren’t exposed to compromised remote hosts.
If you’d like to learn more about Restricted Admin best use cases and compare it to other Microsoft features check out documentation from Microsoft linked here: Remote Credential Guard | Compare Remote Credential Guard with other connection options. RestrictedAdmin mode is available for the following systems: “Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows RT“. [8]
Blumira detects the adversarial techniques reported by CISA and The DFIR Report with a “Registry Value Tampering: Restricted Admin Mode Enabled” detection. Blumira detections also monitor for related threat actor activities that may occur before or after this activity, such as discovery, credential access, persistence, and exploit execution. Some of these detections include:
- Nltest Domain Enumeration
- Mimikatz Pass the Hash
- Password Dumper Remote Thread in LSASS
- COMSPEC Service Execution
- User Added to Local Administrator Group
- and more…
REFERENCES
[1] https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn408190(v=ws.11)#restricted-admin-mode-for-remote-desktop-connection
[2] https://duo.com/docs/rdp-faq#what-logon-interfaces-can-duo-protect?
[3] https://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/
[4] https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
[5] https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-250a
[6] https://hunter2.gitbook.io/darthsidious/getting-started/intro-to-windows-hashes
[7] https://www.aon.com/cyber-solutions/aon_cyber_labs/restricted-admin-mode-circumventing-mfa-on-rdp-logons/
[8] https://learn.microsoft.com/en-us/archive/technet-wiki/32905.remote-desktop-services-enable-restricted-admin-mode
[9] https://www.n00py.io/2020/12/alternative-ways-to-pass-the-hash-pth/