Potential Privileged Escalation via SamAccountName Spoofing

Identifies a suspicious computer account name rename event, which may indicate an attempt to exploit CVE-2021-42278 to elevate privileges from a standard domain user to a user with domain admin privileges. CVE-2021-42278 is a security vulnerability that allows potential attackers to impersonate a domain controller via samAccountName attribute spoofing.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/12/12"
 3integration = ["system", "windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/10/23"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies a suspicious computer account name rename event, which may indicate an attempt to exploit CVE-2021-42278 to
13elevate privileges from a standard domain user to a user with domain admin privileges. CVE-2021-42278 is a security
14vulnerability that allows potential attackers to impersonate a domain controller via samAccountName attribute spoofing.
15"""
16from = "now-9m"
17index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Potential Privileged Escalation via SamAccountName Spoofing"
21references = [
22    "https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e",
23    "https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/",
24    "https://github.com/cube0x0/noPac",
25    "https://twitter.com/exploitph/status/1469157138928914432",
26    "https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html",
27]
28risk_score = 73
29rule_id = "bdcf646b-08d4-492c-870a-6c04e3700034"
30setup = """
31If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
32events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
33Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
34`event.ingested` to @timestamp.
35For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
36"""
37severity = "high"
38tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Use Case: Vulnerability"]
39timestamp_override = "event.ingested"
40type = "eql"
41
42query = '''
43iam where event.action == "renamed-user-account" and
44  /* machine account name renamed to user like account name */
45  winlog.event_data.OldTargetUserName : "*$" and not winlog.event_data.NewTargetUserName : "*$"
46'''
47
48
49[[rule.threat]]
50framework = "MITRE ATT&CK"
51
52[[rule.threat.technique]]
53id = "T1068"
54name = "Exploitation for Privilege Escalation"
55reference = "https://attack.mitre.org/techniques/T1068/"
56
57[[rule.threat.technique]]
58id = "T1078"
59name = "Valid Accounts"
60reference = "https://attack.mitre.org/techniques/T1078/"
61[[rule.threat.technique.subtechnique]]
62id = "T1078.002"
63name = "Domain Accounts"
64reference = "https://attack.mitre.org/techniques/T1078/002/"
65
66
67
68[rule.threat.tactic]
69id = "TA0004"
70name = "Privilege Escalation"
71reference = "https://attack.mitre.org/tactics/TA0004/"
72[[rule.threat]]
73framework = "MITRE ATT&CK"
74[[rule.threat.technique]]
75id = "T1098"
76name = "Account Manipulation"
77reference = "https://attack.mitre.org/techniques/T1098/"
78
79
80[rule.threat.tactic]
81id = "TA0003"
82name = "Persistence"
83reference = "https://attack.mitre.org/tactics/TA0003/"

References

Related rules

to-top