Potential Privileged Escalation via SamAccountName Spoofing

calendar May 22, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Persistence Tactic: Privilege Escalation Use Case: Active Directory Monitoring Data Source: Active Directory Use Case: Vulnerability  ·
Share on: linkedin copy

Identifies a suspicious computer account name rename event, which may indicate an attempt to exploit CVE-2021-42278 to elevate privileges from a standard domain user to a user with domain admin privileges. CVE-2021-42278 is a security vulnerability that allows potential attackers to impersonate a domain controller via samAccountName attribute spoofing.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/12/12"
 3integration = ["system", "windows"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies a suspicious computer account name rename event, which may indicate an attempt to exploit CVE-2021-42278 to
11elevate privileges from a standard domain user to a user with domain admin privileges. CVE-2021-42278 is a security
12vulnerability that allows potential attackers to impersonate a domain controller via samAccountName attribute spoofing.
13"""
14from = "now-9m"
15index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Potential Privileged Escalation via SamAccountName Spoofing"
19references = [
20    "https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e",
21    "https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/",
22    "https://github.com/cube0x0/noPac",
23    "https://twitter.com/exploitph/status/1469157138928914432",
24    "https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html",
25]
26risk_score = 73
27rule_id = "bdcf646b-08d4-492c-870a-6c04e3700034"
28setup = """## Setup
29
30If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
31events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
32Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
33`event.ingested` to @timestamp.
34For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
35"""
36severity = "high"
37tags = [
38    "Domain: Endpoint",
39    "OS: Windows",
40    "Use Case: Threat Detection",
41    "Tactic: Persistence",
42    "Tactic: Privilege Escalation",
43    "Use Case: Active Directory Monitoring",
44    "Data Source: Active Directory",
45    "Use Case: Vulnerability",
46]
47timestamp_override = "event.ingested"
48type = "eql"
49
50query = '''
51iam where event.action == "renamed-user-account" and
52  /* machine account name renamed to user like account name */
53  winlog.event_data.OldTargetUserName : "*$" and not winlog.event_data.NewTargetUserName : "*$"
54'''
55
56
57[[rule.threat]]
58framework = "MITRE ATT&CK"
59[[rule.threat.technique]]
60id = "T1068"
61name = "Exploitation for Privilege Escalation"
62reference = "https://attack.mitre.org/techniques/T1068/"
63
64[[rule.threat.technique]]
65id = "T1078"
66name = "Valid Accounts"
67reference = "https://attack.mitre.org/techniques/T1078/"
68[[rule.threat.technique.subtechnique]]
69id = "T1078.002"
70name = "Domain Accounts"
71reference = "https://attack.mitre.org/techniques/T1078/002/"
72
73
74
75[rule.threat.tactic]
76id = "TA0004"
77name = "Privilege Escalation"
78reference = "https://attack.mitre.org/tactics/TA0004/"
79[[rule.threat]]
80framework = "MITRE ATT&CK"
81[[rule.threat.technique]]
82id = "T1098"
83name = "Account Manipulation"
84reference = "https://attack.mitre.org/techniques/T1098/"
85
86
87[rule.threat.tactic]
88id = "TA0003"
89name = "Persistence"
90reference = "https://attack.mitre.org/tactics/TA0003/"

References

Related rules

to-top