renaming a computer account name to a name that not end with '$' is highly unsual and may not have any legitimate scenarios.

t1078
t1078.002
endpoint
splunk

Techniques

T1078
T1078.002

Sample rules

Suspicious Computer Account Name Change

source: splunk
technicques:
- T1078
- T1078.002

Description

The following analytic detects a suspicious computer account name change in Active Directory. It leverages Event ID 4781, which logs account name changes, to identify instances where a computer account name is changed to one that does not end with a $. This behavior is significant as it may indicate an attempt to exploit CVE-2021-42278 and CVE-2021-42287, which can lead to domain controller impersonation and privilege escalation. If confirmed malicious, this activity could allow an attacker to gain elevated privileges and potentially control the domain.

Detection logic

`wineventlog_security` EventCode=4781 OldTargetUserName="*$" NewTargetUserName!="*$" 
| table _time, Computer, Caller_User_Name, OldTargetUserName, NewTargetUserName 
| rename Computer as dest 
| `suspicious_computer_account_name_change_filter`