Potential Privileged Escalation via SamAccountName Spoofing

  1[metadata]
  2creation_date = "2021/12/12"
  3integration = ["system", "windows"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies a suspicious computer account name rename event, which may indicate an attempt to exploit CVE-2021-42278 to
 11elevate privileges from a standard domain user to a user with domain admin privileges. CVE-2021-42278 is a security
 12vulnerability that allows potential attackers to impersonate a domain controller via samAccountName attribute spoofing.
 13"""
 14from = "now-9m"
 15index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
 16language = "eql"
 17license = "Elastic License v2"
 18name = "Potential Privileged Escalation via SamAccountName Spoofing"
 19note = """## Triage and analysis
 20
 21> **Disclaimer**:
 22> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 23
 24### Investigating Potential Privileged Escalation via SamAccountName Spoofing
 25
 26In Active Directory environments, the samAccountName attribute is crucial for identifying user and computer accounts. Adversaries may exploit vulnerabilities like CVE-2021-42278 to spoof this attribute, potentially elevating privileges by renaming computer accounts to mimic domain controllers. The detection rule identifies suspicious renaming events, where a machine account is altered to resemble a user account, signaling possible privilege escalation attempts.
 27
 28### Possible investigation steps
 29
 30- Review the event logs to confirm the occurrence of a "renamed-user-account" action, focusing on entries where the OldTargetUserName ends with a "$" and the NewTargetUserName does not, indicating a potential spoofing attempt.
 31- Identify the source of the rename event by examining the event logs for the user or system that initiated the change, and determine if it aligns with expected administrative activity.
 32- Check the history of the NewTargetUserName to see if it has been used in any recent authentication attempts or privileged operations, which could indicate malicious intent.
 33- Investigate the associated IP address and hostname from which the rename action was performed to determine if it is a known and trusted source within the network.
 34- Correlate the event with other security alerts or logs to identify any patterns or additional suspicious activities that might suggest a broader attack campaign.
 35- Assess the potential impact by determining if the renamed account has been granted elevated privileges or access to sensitive resources since the rename event occurred.
 36
 37### False positive analysis
 38
 39- Routine administrative tasks involving legitimate renaming of computer accounts can trigger false positives. To manage this, create exceptions for known administrative activities by excluding specific administrator accounts or service accounts from the detection rule.
 40- Automated processes or scripts that rename computer accounts as part of regular maintenance or deployment procedures may also cause false alerts. Identify these processes and exclude their associated accounts or event patterns from the rule.
 41- Temporary renaming of computer accounts for troubleshooting or testing purposes can be mistaken for suspicious activity. Document and exclude these temporary changes by maintaining a list of authorized personnel and their activities.
 42- Changes made by trusted third-party software or management tools that interact with Active Directory should be reviewed and, if deemed safe, excluded from triggering alerts by specifying the tool's account or signature in the rule exceptions.
 43
 44### Response and remediation
 45
 46- Immediately isolate the affected machine from the network to prevent further unauthorized access or lateral movement within the domain.
 47- Revert any unauthorized changes to the samAccountName attribute by renaming the affected computer account back to its original name.
 48- Conduct a thorough review of recent changes in Active Directory, focusing on user and computer account modifications, to identify any other potentially compromised accounts.
 49- Reset passwords for the affected machine account and any other accounts that may have been accessed or modified during the incident.
 50- Apply the latest security patches and updates to all domain controllers and critical systems to mitigate vulnerabilities like CVE-2021-42278.
 51- Enhance monitoring and logging for Active Directory events, specifically focusing on account renaming activities, to detect similar threats in the future.
 52- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation efforts are undertaken."""
 53references = [
 54    "https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e",
 55    "https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/",
 56    "https://github.com/cube0x0/noPac",
 57    "https://twitter.com/exploitph/status/1469157138928914432",
 58    "https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html",
 59]
 60risk_score = 73
 61rule_id = "bdcf646b-08d4-492c-870a-6c04e3700034"
 62severity = "high"
 63tags = [
 64    "Domain: Endpoint",
 65    "OS: Windows",
 66    "Use Case: Threat Detection",
 67    "Tactic: Persistence",
 68    "Tactic: Privilege Escalation",
 69    "Use Case: Active Directory Monitoring",
 70    "Data Source: Active Directory",
 71    "Use Case: Vulnerability",
 72    "Data Source: Windows Security Event Logs",
 73    "Resources: Investigation Guide",
 74]
 75timestamp_override = "event.ingested"
 76type = "eql"
 77
 78query = '''
 79iam where event.action == "renamed-user-account" and
 80  /* machine account name renamed to user like account name */
 81  winlog.event_data.OldTargetUserName : "*$" and not winlog.event_data.NewTargetUserName : "*$"
 82'''
 83
 84
 85[[rule.threat]]
 86framework = "MITRE ATT&CK"
 87[[rule.threat.technique]]
 88id = "T1068"
 89name = "Exploitation for Privilege Escalation"
 90reference = "https://attack.mitre.org/techniques/T1068/"
 91
 92[[rule.threat.technique]]
 93id = "T1078"
 94name = "Valid Accounts"
 95reference = "https://attack.mitre.org/techniques/T1078/"
 96[[rule.threat.technique.subtechnique]]
 97id = "T1078.002"
 98name = "Domain Accounts"
 99reference = "https://attack.mitre.org/techniques/T1078/002/"
100
101
102
103[rule.threat.tactic]
104id = "TA0004"
105name = "Privilege Escalation"
106reference = "https://attack.mitre.org/tactics/TA0004/"
107[[rule.threat]]
108framework = "MITRE ATT&CK"
109[[rule.threat.technique]]
110id = "T1098"
111name = "Account Manipulation"
112reference = "https://attack.mitre.org/techniques/T1098/"
113
114
115[rule.threat.tactic]
116id = "TA0003"
117name = "Persistence"
118reference = "https://attack.mitre.org/tactics/TA0003/"