/
win_security_susp_computer_name.yml
37 lines (37 loc) · 1.22 KB
/
win_security_susp_computer_name.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
title: Win Susp Computer Name Containing Samtheadmin
id: 39698b3f-da92-4bc6-bfb5-645a98386e45
status: test
description: Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool
references:
- https://twitter.com/malmoeb/status/1511760068743766026
- https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py
- https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py
author: elhoim
date: 2022/09/09
modified: 2023/01/04
tags:
- cve.2021.42278
- cve.2021.42287
- attack.persistence
- attack.privilege_escalation
- attack.t1078
logsource:
service: security
product: windows
detection:
# Not adding an EventID on purpose to try to match on any event in security (including use of account), not just 4741 (computer account created)
selection1:
SamAccountName|startswith: 'SAMTHEADMIN-'
SamAccountName|endswith: '$'
selection2:
TargetUserName|startswith: 'SAMTHEADMIN-'
TargetUserName|endswith: '$'
condition: 1 of selection*
fields:
- EventID
- SamAccountName
- SubjectUserName
- TargetUserName
falsepositives:
- Unknown
level: critical