https://github.com/GhostPack/RestrictedAdmin

Remotely enables Restricted Admin Mode
https://github.com/GhostPack/RestrictedAdmin

Last synced: about 2 months ago
JSON representation

Remotely enables Restricted Admin Mode

• Host: GitHub
• URL: https://github.com/GhostPack/RestrictedAdmin
• Owner: GhostPack
• License: bsd-3-clause
• Created: 2021-09-02T23:49:47.000Z (over 3 years ago)
• Default Branch: main
• Last Pushed: 2021-09-03T15:58:04.000Z (over 3 years ago)
• Last Synced: 2024-08-05T17:26:14.612Z (5 months ago)
• Language: C#
• Homepage:
• Size: 18.6 KB
• Stars: 202
• Watchers: 7
• Forks: 39
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

• awesome-hacking-lists - GhostPack/RestrictedAdmin - Remotely enables Restricted Admin Mode (C# #)

README

        
# RestrictedAdmin

Quick and dirty C# program that remotely enables "Restricted Admin Mode".

Restricted Admin Mode was introduced in Windows 8.1 as an attempt to prevent credential exposure via RDP. While well intentioned, this unfortunately introduced the ability to pass-the-hash to RDP.

While Restricted Admin Mode is not enabled by default on systems, we can enable it by setting the value of `DisableRestrictedAdmin` to 0 at `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa`. In order to do this remotely, we could use remote registry, however this is not always enabled on systems (particularly workstations). Instead, we can use the [StdRegProv WMI class](https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov) to flip this value remotely. This approach was later expanded by @airzero24 in his [WMIReg](https://github.com/airzero24/WMIReg) project.

The TypeLib GUID of RestrictedAdmin is **79F11FC0-ABFF-4E1F-B07C-5D65653D8952**. This is reflected in the Yara rules currently in this repo.

**I did not invent or figure out any of this**. For more information and references on the work this was built on, see the **References** section at the bottom of this README.

## Usage

    C:\Tools>RestrictedAdmin.exe

    Usage:

            Check the DisableRestrictedAdmin value:

                    RestrictedAdmin.exe 

            Enabled Restricted Admin mode (set DisableRestrictedAdmin to 0):

                    RestrictedAdmin.exe  0

            Disable Restricted Admin mode (set DisableRestrictedAdmin to 1):

                    RestrictedAdmin.exe  1

            Clear the Restricted Admin mode setting completely:

                    RestrictedAdmin.exe  clear

## References

* [Details on using this for PTH from Portcullis Labs.](https://labs.portcullis.co.uk/blog/new-restricted-admin-feature-of-rdp-8-1-allows-pass-the-hash/)

* [PTH + RDP w/ restricted admin mode in Kali.](https://www.kali.org/blog/passing-hash-remote-desktop/)

* [F-Secure has a post about offensively disabling Restricted Admin Mode.](https://labs.f-secure.com/blog/undisable/).

* [Some Restricted Admin Mode details from Microsoft.](https://docs.microsoft.com/en-us/archive/blogs/kfalde/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2)

* The StdRegProv approach was adapted from [this post](https://web.archive.org/web/20200212015446/http://softvernow.com/2018/09/02/using-wmi-and-c-registry-values/).