Potential CVE-2021-42287 Exploitation Attempt

calendar Nov 10, 2025 · attack.credential-access attack.t1558.003 detection.emerging-threats cve.2021-42287  ·
Share on: linkedin copy

The attacker creates a computer object using those permissions with a password known to her. After that she clears the attribute ServicePrincipalName on the computer object. Because she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.

Sigma rule (View on GitHub)

 1title: Potential CVE-2021-42287 Exploitation Attempt
 2id: e80a0fee-1a62-4419-b31e-0d0db6e6013a
 3related:
 4    - id: 44bbff3e-4ca3-452d-a49a-6efa4cafa06f
 5      type: similar
 6status: test
 7description: |
 8    The attacker creates a computer object using those permissions with a password known to her.
 9    After that she clears the attribute ServicePrincipalName on the computer object.
10    Because she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.    
11references:
12    - https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/
13author: frack113
14date: 2021-12-15
15modified: 2023-04-14
16tags:
17    - attack.credential-access
18    - attack.t1558.003
19    - detection.emerging-threats
20    - cve.2021-42287
21logsource:
22    product: windows
23    service: system
24detection:
25    selection:
26        Provider_Name: Microsoft-Windows-Directory-Services-SAM  # Active Directory
27        EventID:
28            - 16990 # Object class and UserAccountControl validation failure
29            - 16991 # SAM Account Name validation failure
30    condition: selection
31falsepositives:
32    - Unknown
33level: medium

References

  • Exploit samAccountName spoofing with Kerberos

    When Microsoft released the November 2021 patches, the following CVEs caught the eye of many security professionals because they allow impersonation of a domain controller in an Active Directory environment. CVE-2021-42278 - KB5008102 Active Directory Security Accounts Manager hardening changes CVE-2021-42278 addresses a security bypass vulnerability that allows potential attackers to impersonate a domain controller using computer account sAMAccountName spoofing. CVE-2021-42287 KB5008380 Authentication updates CVE-2021-42287 addresses a security bypass vulnerability that affects the Kerberos Privilege Attribute Certificate (PAC) and allows potential attackers to impersonate domain controllers.


    Read More

Related rules

to-top