Win Susp Computer Name Containing Samtheadmin

calendar Nov 2, 2023 · cve.2021.42278 cve.2021.42287 attack.persistence attack.privilege_escalation attack.t1078  ·
Share on: linkedin copy

Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool

Sigma rule (View on GitHub)

 1title: Win Susp Computer Name Containing Samtheadmin
 2id: 39698b3f-da92-4bc6-bfb5-645a98386e45
 3status: test
 4description: Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool
 5references:
 6    - https://twitter.com/malmoeb/status/1511760068743766026
 7    - https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py
 8    - https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py
 9author: elhoim
10date: 2022/09/09
11modified: 2023/01/04
12tags:
13    - cve.2021.42278
14    - cve.2021.42287
15    - attack.persistence
16    - attack.privilege_escalation
17    - attack.t1078
18logsource:
19    service: security
20    product: windows
21detection:
22    # Not adding an EventID on purpose to try to match on any event in security (including use of account), not just 4741 (computer account created)
23    selection1:
24        SamAccountName|startswith: 'SAMTHEADMIN-'
25        SamAccountName|endswith: '$'
26    selection2:
27        TargetUserName|startswith: 'SAMTHEADMIN-'
28        TargetUserName|endswith: '$'
29    condition: 1 of selection*
30fields:
31    - EventID
32    - SamAccountName
33    - SubjectUserName
34    - TargetUserName
35falsepositives:
36    - Unknown
37level: critical

References

Related rules

to-top