indicatorregistry_key
HKLM\System\CurrentControlSet\Control\Lsa\DisableRestrictedAdmin
- First seen
- 2026-05-13
- Last seen
- 2026-05-13
- Sightings
- 1
Posts referencing this indicator
- Proactive Preparation and Hardening Against Destructive Attacks: 2026 Edition
Registry key controlling Restricted Admin mode for RDP. Disabling this (setting to 1) exposes administrative credentials in memory during RDP sessions.