April 19, 2024

Why are Threat Actors enabling Windows Restricted Admin mode?

RestrictedAdmin mode for RDP was first introduced to Windows 8.1 and Windows Server 2012 R2. Restricted Admin mode has been back ported to Windows 7 and Windows Server 2008, however, it was later disabled by default on newer Windows systems. While Restricted Admin mode was created to help protect administrative account credentials against Pass-the-Hash attacks, ironically, the security control resulted in a new Pass-the-Hash vector.

The intention behind Restricted Admin mode was to mitigate the risk of exposing administrative credentials when connecting to potentially compromised machines. Normally, when you logon via RDP using an interactive session (username and password), a copy of your credentials is stored in the Local Security Authority Subsystem Service (LSASS) on the destination host.

When Restricted Admin mode is enabled, the RDP server uses network logon instead of interactive logon. This means a user with local administrator privileges on a system with Restricted Admin mode enabled authenticates with a NT hash or Kerberos ticket, instead of with a password. While the password isn’t cached, these NT hashes are and can be collected and used to impersonate users.

Restricted Admin Mode Adversarial Techniques

Because Restricted Admin mode is typically disabled by default, threat actors have been observed enabling Restricted Admin mode in order dump hashed user credentials stored in memory. Restricted Admin mode may also be enabled in order to bypass MFA solutions for RDP. [7] [2]

Once a threat actor has access to a compromised endpoint, hashed credentials can be trivially extracted from the Security Account Manager (SAM) registry file or dumped from LSASS using open-source offensive security tools. For instance, hashes can be dumped from an open session to a compromised host using the hashdump command in the meterpreter tool:

or dump NT hashes from LSASS by using mimikatz:

After the hash is collected, the NT hash of an account in an administrative group can be used to move laterally or issue commands remotely. For example, a threat actor could use xfreerdp [9]:

xfreerdp /v:IP_ADDRESS /u:USERNAME /pth:NT_HASH

or mimikatz to perform a pass-the-hash attack to move laterally via RDP using a host with Restricted Admin mode enabled. [6]

Here are a few examples of recent intrusions where an attacker enabled Restricted Admin mode by disabling the DisableRestrictedAdmin registry key. The DFIR Report published a write-up on an intrusion from February 2023 weaponizing Restricted Admin mode. [3]

reg add "hklm\system\currentcontrolset\control\lsa" /f /v DisableRestrictedAdmin /t REG_DWORD /d 0

CISA has multiple cybersecurity advisories reporting Restricted Admin mode similarly weaponized. These include groups such as Russian Foreign Intelligence Service (SVR) in December 2023 [4] and multiple nation-state threat actors in September 2023 [5].

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d "0" /f

powershell New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DisableRestrictedAdmin" -Value "0" -PropertyType DWORD -Force

Defensive Security Controls and Blumira Detection

Remote Admin mode is generally not recommended for most workstations and is disabled by default. However, there are unique circumstances where Microsoft does recommend enabling Remote Admin, such as specific helpdesk support scenarios:

For helpdesk support scenarios in which personnel require administrative access via Remote Desktop sessions, it isn't recommended the use of Remote Credential Guard. If an RDP session is initiated to an already compromised client, the attacker could use that open channel to create sessions on the user's behalf. The attacker can access any of the user's resources for a limited time after the session disconnects.

We recommend using Restricted Admin mode option instead. For helpdesk support scenarios, RDP connections should only be initiated using the /RestrictedAdmin switch. This helps to ensure that credentials and other user resources aren't exposed to compromised remote hosts.

(Source: Microsoft, updated 03/12/2024)[13]

If you’d like to learn more about Restricted Admin best use cases and compare it to other Microsoft features check out documentation from Microsoft linked here: Remote Credential Guard | Compare Remote Credential Guard with other connection options. RestrictedAdmin mode is available for the following systems: “Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows RT“. [8]

Blumira detects the adversarial techniques reported by CISA and The DFIR Report with a "Registry Value Tampering: Restricted Admin Mode Enabled" detection. Blumira detections also monitor for related threat actor activities that may occur before or after this activity, such as discovery, credential access, persistence, and exploit execution. Some of these detections include:

Nltest Domain Enumeration
Mimikatz Pass the Hash
Password Dumper Remote Thread in LSASS
COMSPEC Service Execution
User Added to Local Administrator Group
and more…

REFERENCES

[1] https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn408190(v=ws.11)#restricted-admin-mode-for-remote-desktop-connection
[2] https://duo.com/docs/rdp-faq#what-logon-interfaces-can-duo-protect?
[3] https://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/
[4] https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
[5] https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-250a
[6] https://hunter2.gitbook.io/darthsidious/getting-started/intro-to-windows-hashes
[7] https://www.aon.com/cyber-solutions/aon_cyber_labs/restricted-admin-mode-circumventing-mfa-on-rdp-logons/
[8] https://learn.microsoft.com/en-us/archive/technet-wiki/32905.remote-desktop-services-enable-restricted-admin-mode
[9] https://www.n00py.io/2020/12/alternative-ways-to-pass-the-hash-pth/

Frequently Asked Questions

How do I detect if RestrictedAdmin mode has been enabled on my network?

Monitor the registry key HKLM\System\CurrentControlSet\Control\Lsa for the value DisableRestrictedAdmin being set to 0 (which enables the mode). The most reliable detection method is Sysmon Event ID 13 (Registry Value Set), which logs the exact process that made the change. Without Sysmon, look for Security log Event ID 4657 (registry value modification), though this requires enabling Object Access auditing on that specific registry path. You should also watch for reg.exe or PowerShell processes modifying that key by correlating Sysmon Event ID 1 (process creation) with command-line arguments containing "DisableRestrictedAdmin." Any change to this value outside of a planned administrative action is a high-confidence indicator of compromise.

What is the MITRE ATT&CK technique for RestrictedAdmin abuse?

RestrictedAdmin abuse maps primarily to T1021.001 (Remote Services: Remote Desktop Protocol), used as a lateral movement technique. Attackers typically chain it with T1003 (OS Credential Dumping) to obtain the NTLM hashes they need, and T1112 (Modify Registry) to enable RestrictedAdmin mode in the first place. The full attack sequence is: dump credentials from a compromised host, enable RestrictedAdmin on the target via remote registry modification, then RDP to the target using the stolen hash. Mapping your detections to these technique IDs helps you verify coverage. If you can detect the registry change (T1112) and the subsequent RDP session (T1021.001), you can catch this attack at two points in the kill chain.

Why would a threat actor enable RestrictedAdmin mode instead of using stolen passwords?

RestrictedAdmin mode lets attackers use pass-the-hash with RDP, which is normally impossible. Standard RDP authentication requires a plaintext password or Kerberos ticket. If an attacker has only extracted NTLM hashes (which is common after dumping LSASS memory or the SAM database), they cannot RDP to other machines without cracking the hash first. Enabling RestrictedAdmin removes that barrier. The attacker flips a single registry value, and suddenly RDP accepts hash-based authentication. This is faster and quieter than password cracking, especially against long or complex passwords. RestrictedAdmin is disabled by default on Windows 8.1 and Server 2012 R2 and later, so seeing it enabled without a documented business reason is a strong red flag.

How do I prevent RestrictedAdmin mode from being exploited?

Keep DisableRestrictedAdmin set to 1 (disabled) via Group Policy by deploying a registry preference GPO that enforces the value. If specific administrative workflows genuinely require RestrictedAdmin (it does protect against credential theft on the remote host), restrict which accounts can use it through the "Restrict delegating credentials to remote servers" policy and limit its use to hardened admin workstations. Implement Remote Credential Guard as a more secure alternative where possible, since it protects credentials without opening the pass-the-hash door. Monitor for unauthorized changes to the registry value and alert immediately. The combination of GPO enforcement plus monitoring creates a defense-in-depth approach where even if an attacker modifies the registry locally, the GPO will revert it on the next refresh cycle (typically 90 minutes).

What other lateral movement techniques should I monitor alongside RestrictedAdmin abuse?

Attackers rarely rely on a single lateral movement method. Watch for PsExec and SMB-based remote execution (Event ID 7045 for new service installation), WMI remote process creation (Event ID 4688 with wmiprvse.exe as parent), WinRM/PowerShell remoting (Event IDs 4103, 4104 in the PowerShell Operational log), scheduled task creation on remote hosts (Event ID 4698), and DCOM lateral movement (unusual dllhost.exe spawning child processes). Each technique leaves different forensic traces across different log sources. A SIEM that correlates these events across endpoints catches the full attack chain rather than individual techniques in isolation, which is critical because sophisticated attackers switch methods when one path is blocked.

Tag(s): Security Alerts , Blog , Microsoft Security