Potential Privileged Escalation via SamAccountName Spoofing
Identifies a suspicious computer account name rename event, which may indicate an attempt to exploit CVE-2021-42278 to elevate privileges from a standard domain user to a user with domain admin privileges. CVE-2021-42278 is a security vulnerability that allows potential attackers to impersonate a domain controller via samAccountName attribute spoofing.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/12/12"
3integration = ["system", "windows"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/10/23"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies a suspicious computer account name rename event, which may indicate an attempt to exploit CVE-2021-42278 to
13elevate privileges from a standard domain user to a user with domain admin privileges. CVE-2021-42278 is a security
14vulnerability that allows potential attackers to impersonate a domain controller via samAccountName attribute spoofing.
15"""
16from = "now-9m"
17index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Potential Privileged Escalation via SamAccountName Spoofing"
21references = [
22 "https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e",
23 "https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/",
24 "https://github.com/cube0x0/noPac",
25 "https://twitter.com/exploitph/status/1469157138928914432",
26 "https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html",
27]
28risk_score = 73
29rule_id = "bdcf646b-08d4-492c-870a-6c04e3700034"
30setup = """## Setup
31
32If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
33events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
34Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
35`event.ingested` to @timestamp.
36For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
37"""
38severity = "high"
39tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Use Case: Vulnerability"]
40timestamp_override = "event.ingested"
41type = "eql"
42
43query = '''
44iam where event.action == "renamed-user-account" and
45 /* machine account name renamed to user like account name */
46 winlog.event_data.OldTargetUserName : "*$" and not winlog.event_data.NewTargetUserName : "*$"
47'''
48
49
50[[rule.threat]]
51framework = "MITRE ATT&CK"
52
53[[rule.threat.technique]]
54id = "T1068"
55name = "Exploitation for Privilege Escalation"
56reference = "https://attack.mitre.org/techniques/T1068/"
57
58[[rule.threat.technique]]
59id = "T1078"
60name = "Valid Accounts"
61reference = "https://attack.mitre.org/techniques/T1078/"
62[[rule.threat.technique.subtechnique]]
63id = "T1078.002"
64name = "Domain Accounts"
65reference = "https://attack.mitre.org/techniques/T1078/002/"
66
67
68
69[rule.threat.tactic]
70id = "TA0004"
71name = "Privilege Escalation"
72reference = "https://attack.mitre.org/tactics/TA0004/"
73[[rule.threat]]
74framework = "MITRE ATT&CK"
75[[rule.threat.technique]]
76id = "T1098"
77name = "Account Manipulation"
78reference = "https://attack.mitre.org/techniques/T1098/"
79
80
81[rule.threat.tactic]
82id = "TA0003"
83name = "Persistence"
84reference = "https://attack.mitre.org/tactics/TA0003/"
References
-
Summary CVE-2021-42278 addresses a security bypass vulnerability that allows potential attackers to impersonate a domain controller using computer account sAMAccountName spoofing. This article prov...
Read More -
When Microsoft released the November 2021 patches, the following CVEs caught the eye of many security professionals because they allow impersonation of a domain controller in an Active Directory environment. CVE-2021-42278 - KB5008102 Active Directory Security Accounts Manager hardening changes CVE-2021-42278 addresses a security bypass vulnerability that allows potential attackers to impersonate a domain controller using computer account sAMAccountName spoofing. CVE-2021-42287 KB5008380 Authentication updates CVE-2021-42287 addresses a security bypass vulnerability that affects the Kerberos Privilege Attribute Certificate (PAC) and allows potential attackers to impersonate domain controllers.
Read More -
-
-
Related rules
- Remote Computer Account DnsHostName Update
- Access to a Sensitive LDAP Attribute
- AdminSDHolder SDProp Exclusion Added
- FirstTime Seen Account Performing DCSync
- Group Policy Abuse for Privilege Addition