More Like This
-
Capability Overview
Cyber Resilience
-
Product / Service
Penetration Testing Services
November 15, 2023 7 mins
Restricted Admin Mode – Circumventing MFA On RDP Logons
This blog post demonstrates the use of Restricted Admin mode to circumvent MFA in RDP as a red team tactic.
Overview
In the last decade, Microsoft introduced a new Remote Desktop security feature called Restricted Admin mode to prevent credential caching and subsequent reuse. When enabled, the Restricted Admin mode allows circumventing multi-factor authentication (MFA) enforced by identity and access management solution providers such as Duo and Okta. While this weakness is known and has been documented by at least one of these providers, this blog post serves to demonstrate leveraging this caveat as a red team tactic.
Context
In recent years, corporate environments have embraced identity and access management solution providers such as Okta and Duo to protect access to a host of applications and resources such as email, office suites, and cloud storage solutions. Those providers offer products to authenticate access to these applications with a number of options including MFA and passwordless authentication using mobile devices.
These technologies found their way into corporate Active Directory domain environments that have for years set the standard for centralized enterprise resource allocation and management. Those environments, comprised of Microsoft Windows servers and workstations, now have implemented MFA for a variety of logon processes ranging from a standard login by an employee at a workstation to a remote desktop login on a server by an administrator.
The addition of these authentication mechanisms in networked enterprise environments has made it increasingly difficult for red team operators and threat actors alike who may rely on Remote Desktop Protocol (RDP) as a means of lateral movement after obtaining an initial foothold. The underlying reason why Remote Desktop is a prime target for adversaries is because it is generally permitted by firewalls and other network security devices since administrators use it to jump around various servers and workstations with ease. While there are other services that may be permitted for smooth functioning of an Active Directory environment such as Microsoft Remote Procedure Call (MSRPC) and Server Message Block (SMB), Remote Desktop remains a critical attack surface to defend, as it is a legitimate way of logging onto a host without executing code that may be detected by antivirus or intrusion detection systems.
The adoption of Remote Desktop also shed light on other security weaknesses, namely caching of credentials on the Windows host being connected to. Specifically, the Windows Local Security Authority Subsystem Service (LSASS) process on the Remote Desktop host stores a copy of the credentials used for interactive logon authentication. These credentials are utilized to service subsequent connection requests to authenticated resources such as file shares. To combat this, Microsoft released an addition to RDP called Restricted Admin mode. This mode allows users that possess local administrative privileges on the Remote Desktop host to complete the authentication process without supplying the password in cleartext. As a result, the password is never cached on the logon host and cannot be reused by a threat actor to escalate privileges across the environment. At the same time, this functionality allows pass-the-hash attacks against RDP and hence puts corporations in a fix whether to prioritize chances of credential compromise versus reuse.
MFA Caveat
However, the specifics of the authentication process are of interest when operating in Restricted Admin mode. The distinction is between an “interactive” versus a “network” logon and since the Restricted Admin mode uses the latter (adopting a token-based method as compared to cleartext credentials), the authentication doesn’t take place on the Remote Desktop server but instead on the client itself. As a result, authentication factors enforced on the destination server such as MFA provisioned via Duo, Okta, or potentially other identity and access management solutions are rendered ineffective.
A caveat that arises from this mode within RDP is that threat actors can completely bypass MFA on servers and/or workstations when attempting to laterally move across the corporate environment if they possess administrative privileges. While the Restricted Admin mode is disabled by default, the following red teaming Tactics, Techniques, and Procedures (TTPs) describe how it could be leveraged to expand coverage and access across the network.
Imagine the following scenario: the adversary has gained an initial foothold within a firm’s internal network infrastructure and has access to a set of administrative credentials that can be used to compromise a domain-connected Windows host. They have attempted to log on via RDP but there’s a multi-factor mechanism that is sending a push notification to the victim user’s phone and awaiting approval. At this point, the adversary could attempt an MFA fatigue attack by spamming the victim device with push requests in hope that they accept the notification, but this approach is noisy and has rate limitations.
Since they have access to credentials, they can interrogate an administrative session over port SMB/445 (which does not enforce MFA as it’s a network logon) and enable the restricted admin mode:
crackmapexec smb <IP> -u <username> -p <password> -x 'reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD'
Next, they can generate the NTLM hash for the supplied password and bypass MFA on the Remote Desktop server using FreeRDP on Linux:
xfreerdp /v:<IP> /u:<victim username> /d:<domain> /pth:<victim password-hash>
Or the official Remote Desktop client on Windows (logged-on user’s context):
mstsc.exe /restrictedadmin
On Windows, they can either hijack the logged-on user’s context or request a service ticket using mimikatz:
mimikatz # sekurlsa::pth /user:<victim username> /domain:<domain> /ntlm:<victim password hash> /run:"mstsc.exe /restrictedadmin"
Detection
In order to detect this MFA bypass, EDR systems and/or system administrators should monitor the server registry to ensure that the DisableRestrictedAdmin key is set to 1, which indicates that the mode remains disabled. In the event that this value is modified, a security alert should be triggered which causes the isolation and quarantine of the originating host in order to stop the adversary in their tracks. While these recommendations serve as detective and responsive controls, there is no known remediation at the time of writing for this issue, which has been documented by some identity and access management vendors such as Duo but not all.
About Cyber Solutions:
Aon’s Cyber Solutions offers holistic cyber risk management, unsurpassed investigative skills, and proprietary technologies to help clients uncover and quantify cyber risks, protect critical assets, and recover from cyber incidents.
General Disclaimer
This document is not intended to address any specific situation or to provide legal, regulatory, financial, or other advice. While care has been taken in the production of this document, Aon does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the document or any part of it and can accept no liability for any loss incurred in any way by any person who may rely on it. Any recipient shall be responsible for the use to which it puts this document. This document has been compiled using information available to us up to its date of publication and is subject to any qualifications made in the document.
Terms of Use
The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.
Aon's Better Being Podcast
Our Better Being podcast series, hosted by Aon Chief Wellbeing Officer Rachel Fellowes, explores wellbeing strategies and resilience. This season we cover human sustainability, kindness in the workplace, how to measure wellbeing, managing grief and more.
-
Podcast 21 mins
On Aon Podcast: Better Being Series Dives into Women’s Health -
Podcast 38 mins
On Aon’s Better Being Series: The World Wellbeing Movement -
Podcast 30 mins
On Aon’s Better Being Series: Mental Health and Creating Kinder Cultures -
Podcast 31 mins
On Aon’s Better Being Series: Managing Loss and Grief -
Podcast 26 mins
On Aon’s Better Being Series: Measuring Wellbeing -
Podcast 27 mins
On Aon’s Better Being Series: Physical Wellbeing and Resilience -
Podcast 25 mins
On Aon’s Better Being Series: Human Sustainability
Aon Insights Series UK
Expert Views on Today's Risk Capital and Human Capital Issues
-
Article 4 mins
Introduction: Clarity and Confidence to Make Better Decisions -
Article 5 mins
The Age of Rising Resilience – An Economic Outlook -
Article 6 mins
Building Resilience Against the Constant Cyber Threat -
Article 5 mins
Making Better Decisions – A Treasurer’s Perspective -
Article 5 mins
How to Balance the Conflicting Forces of Efficiency, Performance and Wellbeing -
Article 8 mins
Seizing the Opportunity: Building a Comprehensive Approach to Risk Transfer -
Article 5 mins
Tapping New Markets to Unlock Deal Value -
Article 7 mins
The Rise of the Skills-Based Organisation -
Article 5 mins
Creating a Fair and Equitable Workforce for Everyone -
Article 5 mins
The Year of the Vote: How Geopolitical Volatility Will Impact Businesses -
Article 5 mins
The Aon Difference
Construction and Infrastructure
The construction industry is under pressure from interconnected risks and notable macroeconomic developments. Learn how your organization can benefit from construction insurance and risk management.
-
Article 19 mins
How North American Construction Contractors Can Mitigate Emerging Risks -
Article 9 mins
Managing Construction Risks: 7 Risk Advisory Steps -
Article 14 mins
Unlocking Capacity and Capital in a Challenging Construction Risk Market -
Article 12 mins
Protecting North American Contractors from Extreme Heat Risks with Parametric -
Article 8 mins
How Climate Modeling Can Mitigate Risks and Improve Resilience in the Construction Industry -
Report 1 mins
Construction Risk Management Europe Report 2023 -
Article 19 mins
Parametric Can Help Mitigate Extreme Heat Risks for Contractors in EMEA -
Article 21 mins
How the Construction Industry is Navigating Climate Change -
Article 14 mins
Top Risks Facing Construction and Real Estate Organizations
Cyber Labs
Stay in the loop on today's most pressing cyber security matters.
-
Cyber Labs 65 mins
Cracking Into Password Requirements -
Cyber Labs 60 mins
DUALITY: Advanced Red Team Persistence through Self-Reinfecting DLL Backdoors for Unyielding Control -
Cyber Labs 12 mins
Detecting “Effluence”, An Unauthenticated Confluence Web Shell -
Cyber Labs 9 mins
Financially Motivated Criminal Group Targets Telecom, Technology & Manufacturing -
Article 12 mins
To Combat Cyber Risk, Businesses Invest in Resilience -
Article 10 mins
For Cyber Readiness, the CISO and CRO Join Forces -
Article 16 mins
Mitigating Insider Threats: Managing Cyber Perils While Traveling Globally -
Article 41 mins
Buyer-Friendly Cyber and E&O Market: How to Take Advantage -
Article 7 mins
Managing Cyber Risk through Return on Security Investment -
Article 22 mins
Top 5 Cyber Threats To Mergers and Acquisitions -
Article 10 mins
Cyber Attacks: How to Rapidly Detect, Respond and Contain Damage
Cyber Resilience
Our Cyber Resilience collection gives you access to Aon’s latest insights on the evolving landscape of cyber threats and risk mitigation measures. Reach out to our experts to discuss how to make the right decisions to strengthen your organization’s cyber resilience.
-
Article 17 mins
Why Now is the Right Time to Customize Cyber and E&O Contracts -
Article 7 mins
8 Steps Toward Building Better Resilience Against Rising Ransomware Attacks -
Article 16 mins
Mitigating Insider Threats: Managing Cyber Perils While Traveling Globally -
Article 7 mins
Managing Cyber Risk through Return on Security Investment -
Article 10 mins
Mitigating Insider Threats: Your Worst Cyber Threats Could be Coming from Inside -
Article 13 mins
Why HR Leaders Must Help Drive Cyber Security Agenda -
Article 12 mins
Escalating Cyber Security Risks Mean Businesses Need to Build Resilience
Employee Wellbeing
Our Employee Wellbeing collection gives you access to the latest insights from Aon's human capital team. You can also reach out to the team at any time for assistance with your employee wellbeing needs.
-
Article 7 mins
Three Ways Collective Retirement Plans Support HR Priorities -
Article 13 mins
How the Right Employee Wellbeing Strategy Impacts Microstress and Burnout at Work -
Podcast 21 mins
On Aon Podcast: Better Being Series Dives into Women’s Health -
Article 12 mins
Making Wellbeing Part of a Company’s DNA -
Podcast 26 mins
On Aon’s Better Being Series: Measuring Wellbeing -
Podcast 27 mins
On Aon’s Better Being Series: Physical Wellbeing and Resilience -
Article 9 mins
Why Workforce Wellbeing is Vital to Company Performance -
Article 8 mins
COVID-19 has Permanently Changed the Way We Think About Wellbeing
Environmental, Social and Governance Insights
Explore Aon's latest environmental social and governance (ESG) insights.
-
Article 10 mins
Why ESG Is Even More Important In A Crisis Like COVID-19 -
Podcast 18 mins
On Aon Podcast: Approach to DE&I in the Workplace
Q4 2023 Global Insurance Market Insights
Our Global Insurance Market Insights highlight insurance market trends across pricing, capacity, underwriting, limits, deductibles and coverages.
-
Article 17 mins
Q4 2023: Global Insurance Market Overview -
Article 17 mins
Top Risk Trends to Watch in 2024
Regional Results
How do the top risks on business leaders’ minds differ by region and how can these risks be mitigated? Explore the regional results to learn more.
-
Article 17 mins
Top Risks Facing Organizations in Asia Pacific -
Article 17 mins
Top Risks Facing Organizations in North America -
Article 16 mins
Top Risks Facing Organizations in Europe -
Article 16 mins
Top Risks Facing Organizations in Latin America -
Article 15 mins
Top Risks Facing Organizations in the Middle East and Africa -
Article 18 mins
Top Risks Facing Organizations in the United Kingdom
Human Capital Analytics
Our Human Capital Analytics collection gives you access to the latest insights from Aon's human capital team. Contact us to learn how Aon’s analytics capabilities helps organizations make better workforce decisions.
-
Article 25 mins
How Technology Will Transform Employee Benefits in the Next Five Years -
Podcast 19 mins
On Aon Podcast: Technology Impacting the Future of Health and Benefits -
Article 18 mins
Integrating Workforce Data to Uncover Hidden Insights -
Article 25 mins
How Employers Can Use Data to Improve Their Health Plans -
Podcast 26 mins
On Aon’s Better Being Series: Measuring Wellbeing -
Article 14 mins
Designing Tomorrow: Personalizing EVP, Benefits and Total Rewards -
Article 10 mins
How to Balance Cost with Growth in a Shifting Talent Market -
Article 10 mins
How Companies are Mitigating Rising Medical Costs -
Article 11 mins
How Data and Analytics Can Optimize HR Programs
Insights for HR
Explore our hand-picked insights for human resources professionals.
-
Article 8 mins
COVID-19 has Permanently Changed the Way We Think About Wellbeing -
Article 10 mins
DE&I in Benefits Plans: A Global Perspective -
Article 11 mins
How Data and Analytics Can Optimize HR Programs -
Article 13 mins
Why HR Leaders Must Help Drive Cyber Security Agenda -
Article 9 mins
Case Study: The LPGA Unlocks Talent Potential with Data -
Article 14 mins
Navigating the New EU Directive on Pay Transparency -
Article 12 mins
How to Design Better Talent Assessment to Promote DE&I -
Article 8 mins
Training and Transforming Managers for the Future of Work -
Article 9 mins
Rethinking Your Total Rewards Programs During Mergers and Acquisitions -
Article 19 mins
Building a Resilient Workforce That Steers Organizational Success | An Outlook Across Industries
Workforce
Our Workforce Collection provides access to the latest insights from Aon’s Human Capital team on topics ranging from health and benefits, retirement and talent practices. You can reach out to our team at any time to learn how we can help address emerging workforce challenges.
-
Report 23 mins
A Workforce in Transition Prepares to Meet a Host of Challenges -
Article 13 mins
Driving Inclusion and Diversity with Employee Benefits -
Article 19 mins
Five Big Human Resources Trends to Watch in 2024 -
Article 10 mins
How Companies are Mitigating Rising Medical Costs -
Report 1 mins
The Global Medical Trend Rates Report 2024 -
Podcast 27 mins
On Aon’s Better Being Series: Physical Wellbeing and Resilience -
Article 13 mins
How the Right Employee Wellbeing Strategy Impacts Microstress and Burnout at Work -
Article 24 mins
Advancing Women’s Health and Equity Through Benefits and Support -
Podcast 19 mins
On Aon Podcast: Technology Impacting the Future of Health and Benefits -
Article 10 mins
How Collective Retirement Plans Help Support Financial Sustainability
Mergers and Acquisitions
Our Mergers and Acquisitions (M&A) collection gives you access to the latest insights from Aon's thought leaders to help dealmakers make better decisions. Explore our latest insights and reach out to the team at any time for assistance with transaction challenges and opportunities.
-
Article 18 mins
Exit Strategy Value Creation Opportunities Exist as Economic Pressures Persist -
Article 9 mins
Future Trends for Financial Sponsors: Secondary Transactions -
Article 21 mins
3 Ways to Unlock M&A Value in a Challenging Credit Environment -
Article 9 mins
Rethinking Your Total Rewards Programs During Mergers and Acquisitions -
Article 18 mins
Organizational Design and Talent Planning are Key to M&A Success -
Article 12 mins
An Ever-Complex Global Tax Environment Requires Strong M&A Risk Solutions -
Article 7 mins
Project Management for HR: The Secret Behind a Successful M&A Deal -
Article 15 mins
Cultural Alignment Planning Drives M&A Success
Navigating Volatility
How do businesses navigate their way through new forms of volatility and make decisions that protect and grow their organizations?
Parametric Insurance
Our Parametric Insurance Collection provides ways your organization can benefit from this simple, straightforward and fast-paying risk transfer solution. Reach out to learn how we can help you make better decisions to manage your catastrophe exposures and near-term volatility.
-
Article 11 mins
Parametric Insurance: A Complement to Traditional Property Coverage -
Article 11 mins
Using Parametric Insurance to Match Capital to Climate Risk -
Article 9 mins
Using Parametric Insurance to Close the Earthquake Protection Gap -
Article 19 mins
How Technology Enhancements are Boosting Parametric
Pay Transparency and Equity
Our Pay Transparency and Equity collection gives you access to the latest insights from Aon's human capital team on topics ranging from pay equity to diversity, equity and inclusion. Contact us to learn how we can help your organization address these issues.
-
Article 12 mins
Pay Transparency Can Lead to Better Equity Across Benefits -
Article 21 mins
Understanding and Preparing for the Rise in Pay Transparency -
Podcast 21 mins
On Aon Podcast: Understanding Pay Transparency Regulations -
Article 14 mins
Navigating the New EU Directive on Pay Transparency -
Article 13 mins
To Disclose Pay or Not? How Companies are Approaching the Pay Transparency Movement -
Podcast 21 mins
On Aon Podcast: Better Being Series Dives into Women’s Health -
Article 24 mins
Advancing Women’s Health and Equity Through Benefits and Support -
Article 13 mins
Driving Inclusion and Diversity with Employee Benefits -
Article 9 mins
Belonging at Work: How Employers can Strengthen DE&I -
Article 10 mins
DE&I in Benefits Plans: A Global Perspective -
Podcast 18 mins
On Aon Podcast: Approach to DE&I in the Workplace
Property Risk Management
Forecasters are predicting an extremely active 2024 Atlantic hurricane season. Take measures to build resilience to mitigate risk for hurricane-prone properties.
-
Article 10 mins
Build Resilience for an Extremely Active Atlantic Hurricane Season -
Article 9 mins
Four Steps to Develop Strong Property Risk Coverage in a Hardening Market -
Podcast 18 mins
On Aon Podcast: Navigating and Preparing for Catastrophes -
Article 11 mins
Parametric Insurance: A Complement to Traditional Property Coverage -
Article 12 mins
Navigating Climate Risk Using Multiple Models and Data Sets -
Article 9 mins
Rising Losses From Severe Convection Storms Mostly Explained by Exposure Growth -
Article 9 mins
Using Parametric Insurance to Close the Earthquake Protection Gap
Technology
Our Technology Collection provides access to the latest insights from Aon's thought leaders on navigating the evolving risks and opportunities of technology. Reach out to the team to learn how we can help you use technology to make better decisions for the future.
-
Report 24 mins
Evolving Technologies Are Driving Firms to Harness Opportunities and Defend Against Threats -
Article 17 mins
5 Ways Artificial Intelligence can Boost Claims Management -
Article 7 mins
Artificial Intelligence and the Next Frontier for Financial Institutions -
Article 10 mins
Mitigating Insider Threats: Your Worst Cyber Threats Could be Coming from Inside -
Article 7 mins
8 Steps Toward Building Better Resilience Against Rising Ransomware Attacks -
Article 17 mins
Overcoming the Reputational Cost of Cyber Attacks: The 10-Day Plan -
Article 13 mins
Why HR Leaders Must Help Drive Cyber Security Agenda -
Article 12 mins
How to Futureproof Data and Analytics Capabilities for Reinsurers
Top 10 Global Risks
Trade, technology, weather and workforce stability are the central forces in today’s risk landscape.
-
Article 12 mins
Cyber Attack or Data Breach -
Article 8 mins
Business Interruption -
Article 9 mins
Economic Slowdown or Slow Recovery -
Article 12 mins
Failure to Attract or Retain Top Talent -
Article 11 mins
Regulatory or Legislative Changes -
Article 9 mins
Supply Chain or Distribution Failure -
Article 12 mins
Commodity Price Risk or Scarcity of Materials -
Article 9 mins
Damage to Brand or Reputation -
Article 9 mins
Failure to Innovate or Meet Customer Needs -
Article 8 mins
Increasing Competition
Trade
Our Trade Collection gives you access to the latest insights from Aon's thought leaders on navigating the evolving risks and opportunities for international business. Reach out to our team to understand how to make better decisions around macro trends and why they matter to businesses.
-
Report 4 mins
Global Risk Management Survey -
Report 21 mins
Wide-Ranging Trade Issues Confront Global Businesses on Multiple Fronts -
Article 9 mins
Four Steps to Develop Strong Property Risk Coverage in a Hardening Market -
Article 30 mins
Cutting Supply Chains: How to Achieve More Reward with Less Risk -
Article 22 mins
Driving Private Equity Value Creation Through Credit Solutions -
Article 10 mins
4 Steps to Help Take Advantage of a Buyer-Friendly Directors' & Officers' Market -
Article 14 mins
Managing Reputational Risks in Global Supply Chains -
Article 10 mins
How an Outsourced Chief Investment Officer Can Help Improve Governance and Manage Complexity -
Article 11 mins
Decarbonizing Your Business: Finding the Right Insurance and Strategy -
Article 13 mins
Reputation Analytics as a Leading Indicator of ESG Risk
Weather
With a changing climate, organizations in all sectors will need to protect their people and physical assets, reduce their carbon footprint, and invest in new solutions to thrive. Our Weather Collection provides you with critical insights to be prepared.
-
Article 10 mins
Build Resilience for an Extremely Active Atlantic Hurricane Season -
Report 26 mins
Climate Analytics Unlock Capital to Protect People and Property -
Report 4 mins
Climate and Catastrophe Insight -
Article 21 mins
How Investors are Making Better Decisions Amid a Changing Climate -
Article 10 mins
Improving Agricultural Practices to Address Climate Risks -
Article 18 mins
Understanding Freeze Risk in a Changing Climate -
Podcast 10 mins
On Aon Podcast: Climate Science Through Academic Collaboration -
Article 10 mins
How Companies Are Using Climate Modeling to Improve Risk Decisions -
Podcast 9 mins
On Aon Insights: Climate and Supply Chain -
Article 11 mins
Using Parametric Insurance to Match Capital to Climate Risk -
Article 21 mins
How the Construction Industry is Navigating Climate Change -
Article 13 mins
Record Heatwaves: Protecting Employee Health and Safety
Workforce Resilience
Our Workforce Resilience collection gives you access to the latest insights from Aon's Human Capital team. You can reach out to the team at any time for questions about how we can assess gaps and help build a more resilience workforce.
-
Article 11 mins
Using Data to Close Workforce Gaps in Financial Institutions -
Article 9 mins
Using Data to Close Workforce Gaps in Retail Companies -
Article 12 mins
Using Data to Close Workforce Gaps in Technology Companies -
Article 6 mins
Using Data to Close Workforce Gaps in Manufacturing Companies -
Article 12 mins
Using Data to Close Workforce Gaps in Life Sciences Companies -
Report 5 mins
Measure Workforce Resilience for Better Business Outcomes -
Podcast 20 mins
On Aon Podcast: Methodology to Predict Employee Performance for the LPGA -
Article 8 mins
Training and Transforming Managers for the Future of Work -
Article 19 mins
Building a Resilient Workforce That Steers Organizational Success | An Outlook Across Industries
More Like This
-
Article 8 mins
Insurance and the Metaverse: Safeguarding Virtual Assets
Insurers are venturing into the thriving digital landscape of the Metaverse, covering virtual assets, safeguarding intellectual property, and protecting the wellbeing of users and avatars. With this evolution, comes new challenges and the unique opportunity to shape the future of insurance.
-
Article 10 mins
Build Resilience for an Extremely Active Atlantic Hurricane Season
Record-warm Atlantic Ocean temperatures and a shift to La Niña conditions have led forecasters to predict an extremely active Atlantic hurricane season in 2024. Learn how to build business resilience to mitigate risk for hurricane-prone properties.
-
Alert 7 mins
Workforce Implications of U.S. Supreme Court Ruling on ‘Chevron Deference’
The U.S. Supreme Court has changed the way laws are interpreted in the development of regulations. This change has the potential for far-reaching consequences for both regulatory agencies and employers.
