Suspicious Computer Account Name Change CVE-2021-42287
Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287
Sigma rule (View on GitHub)
1title: Suspicious Computer Account Name Change CVE-2021-42287
2id: 45eb2ae2-9aa2-4c3a-99a5-6e5077655466
3status: test
4description: Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287
5references:
6 - https://medium.com/@mvelazco/hunting-for-samaccountname-spoofing-cve-2021-42287-and-domain-controller-impersonation-f704513c8a45
7author: Florian Roth (Nextron Systems)
8date: 2021-12-22
9modified: 2022-12-25
10tags:
11 - cve.2021-42287
12 - detection.emerging-threats
13 - attack.defense-evasion
14 - attack.persistence
15 - attack.t1036
16 - attack.t1098
17logsource:
18 product: windows
19 service: security
20detection:
21 selection:
22 EventID: 4781 # rename user
23 OldTargetUserName|contains: '$'
24 filter:
25 NewTargetUserName|contains: '$'
26 condition: selection and not filter
27falsepositives:
28 - Unknown
29fields:
30 - EventID
31 - SubjectUserName
32level: high
References
Related rules
- COLDSTEEL Persistence Service Creation
- COLDSTEEL RAT Anonymous User Process Execution
- COLDSTEEL RAT Cleanup Command Execution
- COLDSTEEL RAT Service Persistence Execution
- Change to Authentication Method