Techniques
Sample rules
Suspicious Computer Account Name Change
- source: splunk
- technicques:
- T1078
- T1078.002
Description
As part of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) exploitation chain, adversaries need to create a new computer account name and rename it to match the name of a domain controller account without the ending ‘$’. In Windows Active Directory environments, computer account names always end with $
. This analytic leverages Event Id 4781, The name of an account was changed
, to identify a computer account rename event with a suspicious name that does not terminate with $
. This behavior could represent an exploitation attempt of CVE-2021-42278 and CVE-2021-42287 for privilege escalation.
Detection logic
`wineventlog_security` EventCode=4781 OldTargetUserName="*$" NewTargetUserName!="*$"
| table _time, Computer, Caller_User_Name, OldTargetUserName, NewTargetUserName
| rename Computer as dest
| `suspicious_computer_account_name_change_filter`