This rule is designed to detect any changes made to the registry value "DisableRestrictedAdmin" located in the Windows registry path \System\CurrentControlSet\Control\Lsa. The purpose of RestrictedAdmin mode is to enhance security during Remote Desktop connections by preventing the transmission of reusable credentials to remote systems. When enabled, this feature helps safeguard credentials from being compromised, especially when connecting to potentially hostile remote servers. Changes to this registry value may indicate attempts to bypass this security measure, alerting system administrators to potential security threats. The rule triggers when any modification to this specific registry key is detected, thus enabling timely responses to potential credential harvesting attacks. Users are advised to review the system modifications in conjunction with other security logs to mitigate false positives or benign changes.