This documentation contains work-in-progress information for future Elastic Stack and Cloud releases. Use the version selector to view supported release docs. It also contains some Elastic Cloud serverless information. Check out our serverless docs for more details.
« Registry Persistence via AppInit DLL Remote Desktop Enabled in Windows Firewall by Netsh »
Elastic Docs Elastic Security Solution [8.16] Detections and alerts Prebuilt rule reference

Remote Computer Account DnsHostName Update

edit

Remote Computer Account DnsHostName Update

edit

Identifies the remote update to a computer account’s DnsHostName attribute. If the new value set is a valid domain controller DNS hostname and the subject computer name is not a domain controller, then it’s highly likely a preparation step to exploit CVE-2022-26923 in an attempt to elevate privileges from a standard domain user to domain admin privileges.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-system.*

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Privilege Escalation
  • Active Directory

Version: 101 (version history)

Added (Elastic Stack release): 8.3.0

Last modified (Elastic Stack release): 8.6.0

Rule authors: Elastic

Rule license: Elastic License v2

Rule query

edit
sequence by host.id with maxspan=5m [authentication where
event.action == "logged-in" and winlog.logon.type == "Network" and
event.outcome == "success" and not user.name == "ANONYMOUS LOGON"
and not winlog.event_data.SubjectUserName : "*$" and not
user.domain == "NT AUTHORITY" and source.ip != "127.0.0.1" and
source.ip !="::1"] by winlog.event_data.TargetLogonId [iam where
event.action == "changed-computer-account" and /* if DnsHostName
value equal a DC DNS hostname then it's highly suspicious */
winlog.event_data.DnsHostName : "??*" and /* exclude FPs
where DnsHostName starts with the ComputerName that was changed */
not startswith~(winlog.event_data.DnsHostName,
substring(winlog.event_data.TargetUserName, 0,
length(winlog.event_data.TargetUserName) - 1)) ] by
winlog.event_data.SubjectLogonId

Threat mapping

edit

Framework: MITRE ATT&CKTM

Rule version history

edit
Version 101 (8.6.0 release)

  • Updated query, changed from:

    sequence by host.id with maxspan=5m [authentication where
event.action == "logged-in" and winlog.logon.type == "Network" and
event.outcome == "success" and not user.name == "ANONYMOUS LOGON"
and not winlog.event_data.SubjectUserName : "*$" and not
user.domain == "NT AUTHORITY" and source.ip != "127.0.0.1" and
source.ip !="::1"] by winlog.event_data.TargetLogonId [iam where
event.action == "changed-computer-account" and /* if DnsHostName
value equal a DC DNS hostname then it's highly suspicious */
winlog.event_data.DnsHostName : "??*"] by
winlog.event_data.SubjectLogonId
Version 100 (8.5.0 release)
  • Formatting only
Version 2 (8.4.0 release)
  • Formatting only
« Registry Persistence via AppInit DLL Remote Desktop Enabled in Windows Firewall by Netsh »