Remote Computer Account DnsHostName Update

Identifies the remote update to a computer account's DnsHostName attribute. If the new value set is a valid domain controller DNS hostname and the subject computer name is not a domain controller, then it's highly likely a preparation step to exploit CVE-2022-26923 in an attempt to elevate privileges from a standard domain user to domain admin privileges.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2022/05/11"
  3integration = ["system", "windows"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies the remote update to a computer account's DnsHostName attribute. If the new value set is a valid domain
 13controller DNS hostname and the subject computer name is not a domain controller, then it's highly likely a preparation
 14step to exploit CVE-2022-26923 in an attempt to elevate privileges from a standard domain user to domain admin
 15privileges.
 16"""
 17from = "now-9m"
 18index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
 19language = "eql"
 20license = "Elastic License v2"
 21name = "Remote Computer Account DnsHostName Update"
 22references = [
 23    "https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4",
 24    "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26923",
 25]
 26risk_score = 73
 27rule_id = "6bed021a-0afb-461c-acbe-ffdb9574d3f3"
 28severity = "high"
 29tags = [
 30    "Domain: Endpoint",
 31    "OS: Windows",
 32    "Use Case: Threat Detection",
 33    "Tactic: Privilege Escalation",
 34    "Use Case: Active Directory Monitoring",
 35    "Data Source: Active Directory",
 36    "Use Case: Vulnerability",
 37    "Data Source: System",
 38    "Resources: Investigation Guide",
 39]
 40timestamp_override = "event.ingested"
 41type = "eql"
 42
 43query = '''
 44iam where event.action == "changed-computer-account" and user.id : ("S-1-5-21-*", "S-1-12-1-*") and
 45
 46    /* if DnsHostName value equal a DC DNS hostname then it's highly suspicious */
 47    winlog.event_data.DnsHostName : "??*" and
 48
 49    /* exclude FPs where DnsHostName starts with the ComputerName that was changed */
 50    not startswith~(winlog.event_data.DnsHostName, substring(winlog.event_data.TargetUserName, 0, length(winlog.event_data.TargetUserName) - 1))
 51'''
 52note = """## Triage and analysis
 53
 54> **Disclaimer**:
 55> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 56
 57### Investigating Remote Computer Account DnsHostName Update
 58
 59In Active Directory environments, the DnsHostName attribute links computer accounts to their DNS names, crucial for network communication. Adversaries may exploit this by altering a non-domain controller's DnsHostName to mimic a domain controller, potentially exploiting vulnerabilities like CVE-2022-26923 for privilege escalation. The detection rule identifies suspicious changes by monitoring for remote updates to this attribute, especially when the new hostname resembles a domain controller's, flagging potential exploitation attempts.
 60
 61### Possible investigation steps
 62
 63- Review the event logs to confirm the occurrence of the "changed-computer-account" action, focusing on the user.id fields ("S-1-5-21-*", "S-1-12-1-*") to identify the user who initiated the change.
 64- Verify the new DnsHostName value against the list of legitimate domain controller DNS hostnames to assess if it matches any known domain controllers.
 65- Check the winlog.event_data.TargetUserName to ensure that the DnsHostName does not start with the computer name that was changed, which could indicate a false positive.
 66- Investigate the account associated with the user.id to determine if it has a history of suspicious activity or if it has been compromised.
 67- Examine recent changes or activities on the affected computer account to identify any unauthorized access or configuration changes.
 68- Correlate this event with other security alerts or logs to identify potential patterns or coordinated activities that might indicate a broader attack.
 69
 70### False positive analysis
 71
 72- Routine maintenance or updates to computer accounts may trigger the rule if the DnsHostName is temporarily set to a domain controller-like name. To manage this, create exceptions for known maintenance periods or specific administrative accounts performing these updates.
 73- Automated scripts or tools that update computer account attributes might inadvertently match the rule's conditions. Identify and exclude these scripts or tools by their user IDs or specific patterns in their operations.
 74- Legitimate changes in network architecture, such as the promotion of a server to a domain controller, could be flagged. Ensure that such changes are documented and create exceptions for the involved accounts or systems during the transition period.
 75- Temporary testing environments where non-domain controllers are configured with domain controller-like hostnames for testing purposes can cause false positives. Exclude these environments by their specific hostnames or network segments.
 76- Regularly review and update the list of known domain controller hostnames to ensure that legitimate changes in the network are not mistakenly flagged as suspicious.
 77
 78### Response and remediation
 79
 80- Immediately isolate the affected computer from the network to prevent further unauthorized changes or potential exploitation.
 81- Verify the legitimacy of the DnsHostName change by cross-referencing with known domain controller hostnames and authorized change requests.
 82- Revert any unauthorized changes to the DnsHostName attribute to its original state to restore proper network communication and prevent misuse.
 83- Conduct a thorough review of recent account activities and permissions for the user account involved in the change to identify any unauthorized access or privilege escalation attempts.
 84- Escalate the incident to the security operations team for further investigation and to assess potential exploitation of CVE-2022-26923 or other vulnerabilities.
 85- Implement additional monitoring on the affected system and similar systems to detect any further suspicious activities or attempts to exploit vulnerabilities.
 86- Review and update access controls and permissions for computer accounts in Active Directory to ensure only authorized personnel can make changes to critical attributes like DnsHostName."""
 87
 88
 89[[rule.threat]]
 90framework = "MITRE ATT&CK"
 91[[rule.threat.technique]]
 92id = "T1068"
 93name = "Exploitation for Privilege Escalation"
 94reference = "https://attack.mitre.org/techniques/T1068/"
 95
 96[[rule.threat.technique]]
 97id = "T1078"
 98name = "Valid Accounts"
 99reference = "https://attack.mitre.org/techniques/T1078/"
100[[rule.threat.technique.subtechnique]]
101id = "T1078.002"
102name = "Domain Accounts"
103reference = "https://attack.mitre.org/techniques/T1078/002/"
104
105
106
107[rule.threat.tactic]
108id = "TA0004"
109name = "Privilege Escalation"
110reference = "https://attack.mitre.org/tactics/TA0004/"
...
toml

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

In Active Directory environments, the DnsHostName attribute links computer accounts to their DNS names, crucial for network communication. Adversaries may exploit this by altering a non-domain controller's DnsHostName to mimic a domain controller, potentially exploiting vulnerabilities like CVE-2022-26923 for privilege escalation. The detection rule identifies suspicious changes by monitoring for remote updates to this attribute, especially when the new hostname resembles a domain controller's, flagging potential exploitation attempts.

  • Review the event logs to confirm the occurrence of the "changed-computer-account" action, focusing on the user.id fields ("S-1-5-21-", "S-1-12-1-") to identify the user who initiated the change.
  • Verify the new DnsHostName value against the list of legitimate domain controller DNS hostnames to assess if it matches any known domain controllers.
  • Check the winlog.event_data.TargetUserName to ensure that the DnsHostName does not start with the computer name that was changed, which could indicate a false positive.
  • Investigate the account associated with the user.id to determine if it has a history of suspicious activity or if it has been compromised.
  • Examine recent changes or activities on the affected computer account to identify any unauthorized access or configuration changes.
  • Correlate this event with other security alerts or logs to identify potential patterns or coordinated activities that might indicate a broader attack.
  • Routine maintenance or updates to computer accounts may trigger the rule if the DnsHostName is temporarily set to a domain controller-like name. To manage this, create exceptions for known maintenance periods or specific administrative accounts performing these updates.
  • Automated scripts or tools that update computer account attributes might inadvertently match the rule's conditions. Identify and exclude these scripts or tools by their user IDs or specific patterns in their operations.
  • Legitimate changes in network architecture, such as the promotion of a server to a domain controller, could be flagged. Ensure that such changes are documented and create exceptions for the involved accounts or systems during the transition period.
  • Temporary testing environments where non-domain controllers are configured with domain controller-like hostnames for testing purposes can cause false positives. Exclude these environments by their specific hostnames or network segments.
  • Regularly review and update the list of known domain controller hostnames to ensure that legitimate changes in the network are not mistakenly flagged as suspicious.
  • Immediately isolate the affected computer from the network to prevent further unauthorized changes or potential exploitation.
  • Verify the legitimacy of the DnsHostName change by cross-referencing with known domain controller hostnames and authorized change requests.
  • Revert any unauthorized changes to the DnsHostName attribute to its original state to restore proper network communication and prevent misuse.
  • Conduct a thorough review of recent account activities and permissions for the user account involved in the change to identify any unauthorized access or privilege escalation attempts.
  • Escalate the incident to the security operations team for further investigation and to assess potential exploitation of CVE-2022-26923 or other vulnerabilities.
  • Implement additional monitoring on the affected system and similar systems to detect any further suspicious activities or attempts to exploit vulnerabilities.
  • Review and update access controls and permissions for computer accounts in Active Directory to ensure only authorized personnel can make changes to critical attributes like DnsHostName.

References

Related rules

to-top