Restricted Admin Mode

Passing the Hash with Remote Desktop | Kali Linux BlogKali Linux

Why are Threat Actors enabling Windows Restricted Admin mode?Blumira, Inc.

Remote Credential GuardMicrosoftLearn

https://www.aon.com/cyber-solutions/aon_cyber_labs/restricted-admin-mode-circumventing-mfa-on-rdp-logons/www.aon.com

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d "0" /f

reg add "hklm\system\currentcontrolset\control\lsa" /f /v DisableRestrictedAdmin /t REG_DWORD /d 0

powershell New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DisableRestrictedAdmin" -Value "0" -PropertyType DWORD -Force

Microsoft Guideance:

For helpdesk support scenarios in which personnel require administrative access via Remote Desktop sessions, it isn't recommended the use of Remote Credential Guard. If an RDP session is initiated to an already compromised client, the attacker could use that open channel to create sessions on the user's behalf. The attacker can access any of the user's resources for a limited time after the session disconnects.

We recommend using Restricted Admin mode option instead. For helpdesk support scenarios, RDP connections should only be initiated using the /RestrictedAdmin switch. This helps to ensure that credentials and other user resources aren't exposed to compromised remote hosts.

Bypass MFA:

Because restricted admin mode can allow the usage of pass the hash techniques, it can be used to bypass MFA.