Suspicious Computer Account Name Change CVE-2021-42287
Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287
Sigma rule (View on GitHub)
1title: Suspicious Computer Account Name Change CVE-2021-42287
2id: 45eb2ae2-9aa2-4c3a-99a5-6e5077655466
3status: test
4description: Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287
5references:
6 - https://medium.com/@mvelazco/hunting-for-samaccountname-spoofing-cve-2021-42287-and-domain-controller-impersonation-f704513c8a45
7author: Florian Roth (Nextron Systems)
8date: 2021-12-22
9modified: 2022-12-25
10tags:
11 - attack.privilege-escalation
12 - attack.defense-evasion
13 - attack.persistence
14 - attack.t1036
15 - attack.t1098
16 - cve.2021-42287
17 - detection.emerging-threats
18logsource:
19 product: windows
20 service: security
21detection:
22 selection:
23 EventID: 4781 # rename user
24 OldTargetUserName|contains: '$'
25 filter:
26 NewTargetUserName|contains: '$'
27 condition: selection and not filter
28falsepositives:
29 - Unknown
30fields:
31 - EventID
32 - SubjectUserName
33level: high
References
Related rules
- APT27 - Emissary Panda Activity
- Change to Authentication Method
- Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788)
- DLL Names Used By SVR For GraphicalProton Backdoor
- Diamond Sleet APT DLL Sideloading Indicators