Potential Privileged Escalation via SamAccountName Spoofing
Identifies a suspicious computer account name rename event, which may indicate an attempt to exploit CVE-2021-42278 to elevate privileges from a standard domain user to a user with domain admin privileges. CVE-2021-42278 is a security vulnerability that allows potential attackers to impersonate a domain controller via samAccountName attribute spoofing.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/12/12"
3integration = ["system", "windows"]
4maturity = "production"
5updated_date = "2024/10/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies a suspicious computer account name rename event, which may indicate an attempt to exploit CVE-2021-42278 to
13elevate privileges from a standard domain user to a user with domain admin privileges. CVE-2021-42278 is a security
14vulnerability that allows potential attackers to impersonate a domain controller via samAccountName attribute spoofing.
15"""
16from = "now-9m"
17index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Potential Privileged Escalation via SamAccountName Spoofing"
21references = [
22 "https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e",
23 "https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/",
24 "https://github.com/cube0x0/noPac",
25 "https://twitter.com/exploitph/status/1469157138928914432",
26 "https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html",
27]
28risk_score = 73
29rule_id = "bdcf646b-08d4-492c-870a-6c04e3700034"
30setup = """## Setup
31
32If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
33events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
34Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
35`event.ingested` to @timestamp.
36For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
37"""
38severity = "high"
39tags = [
40 "Domain: Endpoint",
41 "OS: Windows",
42 "Use Case: Threat Detection",
43 "Tactic: Persistence",
44 "Tactic: Privilege Escalation",
45 "Use Case: Active Directory Monitoring",
46 "Data Source: Active Directory",
47 "Use Case: Vulnerability",
48 "Data Source: System",
49]
50timestamp_override = "event.ingested"
51type = "eql"
52
53query = '''
54iam where event.action == "renamed-user-account" and
55 /* machine account name renamed to user like account name */
56 winlog.event_data.OldTargetUserName : "*$" and not winlog.event_data.NewTargetUserName : "*$"
57'''
58
59
60[[rule.threat]]
61framework = "MITRE ATT&CK"
62[[rule.threat.technique]]
63id = "T1068"
64name = "Exploitation for Privilege Escalation"
65reference = "https://attack.mitre.org/techniques/T1068/"
66
67[[rule.threat.technique]]
68id = "T1078"
69name = "Valid Accounts"
70reference = "https://attack.mitre.org/techniques/T1078/"
71[[rule.threat.technique.subtechnique]]
72id = "T1078.002"
73name = "Domain Accounts"
74reference = "https://attack.mitre.org/techniques/T1078/002/"
75
76
77
78[rule.threat.tactic]
79id = "TA0004"
80name = "Privilege Escalation"
81reference = "https://attack.mitre.org/tactics/TA0004/"
82[[rule.threat]]
83framework = "MITRE ATT&CK"
84[[rule.threat.technique]]
85id = "T1098"
86name = "Account Manipulation"
87reference = "https://attack.mitre.org/techniques/T1098/"
88
89
90[rule.threat.tactic]
91id = "TA0003"
92name = "Persistence"
93reference = "https://attack.mitre.org/tactics/TA0003/"
References
-
Summary CVE-2021-42278 addresses a security bypass vulnerability that allows potential attackers to impersonate a domain controller using computer account sAMAccountName spoofing. This article prov...
Read More -
When Microsoft released the November 2021 patches, the following CVEs caught the eye of many security professionals because they allow impersonation of a domain controller in an Active Directory environment. CVE-2021-42278 - KB5008102 Active Directory Security Accounts Manager hardening changes CVE-2021-42278 addresses a security bypass vulnerability that allows potential attackers to impersonate a domain controller using computer account sAMAccountName spoofing. CVE-2021-42287 KB5008380 Authentication updates CVE-2021-42287 addresses a security bypass vulnerability that affects the Kerberos Privilege Attribute Certificate (PAC) and allows potential attackers to impersonate domain controllers.
Read More -
-
Related rules
- Remote Computer Account DnsHostName Update
- Access to a Sensitive LDAP Attribute
- Active Directory Group Modification by SYSTEM
- AdminSDHolder SDProp Exclusion Added
- Group Policy Abuse for Privilege Addition