cscli scenarios install sigmahq/proc_creation_win_reg_lsa_disable_restricted_admin1type: trigger2name: sigmahq/proc_creation_win_reg_lsa_disable_restricted_admin3description: |4 Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise5filter: |6 (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && (evt.Parsed.CommandLine contains '\\System\\CurrentControlSet\\Control\\Lsa\\' && evt.Parsed.CommandLine contains 'DisableRestrictedAdmin')7blackhole: 2m8#status: test9labels:10 service: windows11 confidence: 112 spoofable: 013 classification:14 - attack.t11121516 label: "RestrictedAdminMode Registry Value Tampering - ProcCreation"17 behavior : "windows:audit"18 remediation: false1920scope:21 type: ParentProcessId22 expression: evt.Parsed.ParentProcessId2324