LoFP / renaming a computer account name to a name that not end with '$' is highly unsual and may not have any legitimate scenarios.

Techniques

• T1078
• T1078.002

Sample rules

Suspicious Computer Account Name Change

• source: splunk
• technicques:
  • T1078
  • T1078.002

Description

As part of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) exploitation chain, adversaries need to create a new computer account name and rename it to match the name of a domain controller account without the ending ‘$’. In Windows Active Directory environments, computer account names always end with $. This analytic leverages Event Id 4781, The name of an account was changed, to identify a computer account rename event with a suspicious name that does not terminate with $. This behavior could represent an exploitation attempt of CVE-2021-42278 and CVE-2021-42287 for privilege escalation.

Detection logic

`wineventlog_security` EventCode=4781 OldTargetUserName="*$" NewTargetUserName!="*$" 
| table _time, Computer, Caller_User_Name, OldTargetUserName, NewTargetUserName 
| rename Computer as dest 
| `suspicious_computer_account_name_change_filter`