SamAccountName Spoofing and Domain Controller Impersonation
'This technique is to detect exploitation chain of CVE-2021-42287 (samAccountName Spoofing) and CVE-2021-42278 (Domain Controller Impersonation). It is looking into event 4781 for evidence of a new computer account creation and account rename that matches the name of a domain controller account without ending in "$". Computer account names always end with $ and a change like this is highly unusual.
Immediately after the 4781 event, a Kerberos Ticket Granting Ticket (TGT) must be requested on behalf of the newly created and renamed computer account. A computer account name event will occur before this TGT request.
Putting everything together, we may use events 4781 and 4768 to look for a series of events in which the new computer account on event 4781 matches the requested account on event 4768.
NOTE-- On selection2, the TargetUserName should equal to NewTargetUserName. I have left it as a placeholder but this should change dependingon the backend you are translating the query to.
Splunk Example-- | eval RenamedComputerAccount = coalesce(New_Account_Name, mvindex(Account_Name,0)) | transaction RenamedComputerAccount endswith=(EventCode=4781)'
Sigma rule (View on GitHub)
1title: SamAccountName Spoofing and Domain Controller Impersonation
2id: 74256088-d35f-40e4-91e6-601cfa2e7615
3status: experimental
4author: \@kostastsale
5description: >
6 'This technique is to detect exploitation chain of CVE-2021-42287 (samAccountName Spoofing) and CVE-2021-42278 (Domain Controller Impersonation).
7 It is looking into event 4781 for evidence of a new computer account creation and account rename that matches the name of a domain controller account without
8 ending in "$". Computer account names always end with `$` and a change like this is highly unusual.
9
10 Immediately after the 4781 event, a Kerberos Ticket Granting Ticket (TGT) must be requested on behalf of the newly created and renamed computer account.
11 A computer account name event will occur before this TGT request.
12
13 Putting everything together, we may use events 4781 and 4768 to look for a series of events in which the new computer account on event 4781 matches
14 the requested account on event 4768.
15
16 NOTE-- On selection2, the `TargetUserName` should equal to `NewTargetUserName`. I have left it as a placeholder but this should change dependingon the backend
17 you are translating the query to.
18
19 Splunk Example-- `| eval RenamedComputerAccount = coalesce(New_Account_Name, mvindex(Account_Name,0))
20 | transaction RenamedComputerAccount endswith=(EventCode=4781)`'
21
22date: 2022/02/21
23references:
24 - https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html
25 - https://medium.com/@mvelazco/hunting-for-samaccountname-spoofing-cve-2021-42287-and-domain-controller-impersonation-f704513c8a45
26 - https://www.fortinet.com/blog/threat-research/cve-2021-42278-cve-2021-42287-from-user-to-domain-admin-60-seconds
27logsource:
28 product: windows
29 service: security
30detection:
31 selection1:
32 EventID: 4781
33 OldTargetUserName|endswith: '$'
34 selection2:
35 EventID: 4768
36 TargetUserName: '%NewTargetUserName%'
37 filter:
38 - NewTargetUserName|endswith: '$'
39 - TargetUserName|endswith: '$'
40 condition: (selection1 and selection2) and not filter
41falsepositives:
42 - Uknown
43level: High
44tags:
45 - attack.privilege_escalation
46 - attack.t1068
References
-
-
From User to Domain Admin in (less than) 60 seconds: CVE-2021-42278/CVE-2021-42287 | FortiGuard Labs
FortiGuard Labs analyzes vulnerabilities in Microsoft Active-Directory (CVE-2021-42278 and CVE-2021-42287). Analysis shows that by combining them, it is possible for a regular user to easily impers…
Read More
Related rules
- KrbRelayUp local privilege escalation.
- CVE-2021-3156 Exploitation Attempt
- CVE-2021-3156 Exploitation Attempt Bruteforcing
- OMIGOD SCX RunAsProvider ExecuteScript
- Windows Kernel and 3rd-Party Drivers Exploits Token Stealing