IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Potential Privileged Escalation via SamAccountName Spoofing
editPotential Privileged Escalation via SamAccountName Spoofing
editIdentifies a suspicious computer account name rename event, which may indicate an attempt to exploit CVE-2021-42278 to elevate privileges from a standard domain user to a user with domain admin privileges. CVE-2021-42278 is a security vulnerability that allows potential attackers to impersonate a domain controller via samAccountName attribute spoofing.
Rule type: eql
Rule indices:
- winlogbeat-*
- logs-windows.*
Severity: high
Risk score: 73
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
- https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e
- https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/
- https://github.com/cube0x0/noPac
- https://twitter.com/exploitph/status/1469157138928914432
- https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Persistence
- Privilege Escalation
Version: 1
Added (Elastic Stack release): 8.1.0
Rule authors: Elastic
Rule license: Elastic License v2
Rule query
editiam where event.action == "renamed-user-account" and /* machine account name renamed to user like account name */ winlog.event_data.OldTargetUserName : "*$" and not winlog.event_data.NewTargetUserName : "*$"
Threat mapping
editFramework: MITRE ATT&CKTM
-
Tactic:
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
-
Technique:
- Name: Valid Accounts
- ID: T1078
- Reference URL: https://attack.mitre.org/techniques/T1078/
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
-
Technique:
- Name: Account Manipulation
- ID: T1098
- Reference URL: https://attack.mitre.org/techniques/T1098/