Restricted admin mode for RDP
In a typical identity infrastructure attack, the first target is usually a regular user account or an endpoint. This is because highly privileged accounts and critical systems have advanced protection compared to end user devices (in most environments). A typical end user account does not have the privileges or capabilities to do much damage, but a privileged account does. Once an attacker completes an initial breach, the next thing they are looking to do is to get their hands on a privileged account.
If they start to mess around in an endpoint by doing things such as deleting files, increasing CPU/RAM usage, and damaging applications, then the end user will contact the IT department for help. IT department engineers are usually members of Enterprise Admins, Domain Admins, or at least a local administrator group of the endpoint. To log in and troubleshoot, engineers have to use their privileged accounts. If the attackers are running programs for password...
