/
suspicious_computer_account_name_change.yml
72 lines (72 loc) · 2.71 KB
/
suspicious_computer_account_name_change.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
name: Suspicious Computer Account Name Change
id: 35a61ed8-61c4-11ec-bc1e-acde48001122
version: 2
date: '2024-04-26'
author: Mauricio Velazco, Splunk
status: production
type: TTP
description: As part of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller
Impersonation (CVE-2021-42287) exploitation chain, adversaries need to create a
new computer account name and rename it to match the name of a domain controller
account without the ending '$'. In Windows Active Directory environments, computer
account names always end with `$`. This analytic leverages Event Id 4781, `The name
of an account was changed`, to identify a computer account rename event with a suspicious
name that does not terminate with `$`. This behavior could represent an exploitation
attempt of CVE-2021-42278 and CVE-2021-42287 for privilege escalation.
data_source:
- Windows Event Log Security 4781
search: '`wineventlog_security` EventCode=4781 OldTargetUserName="*$" NewTargetUserName!="*$"
| table _time, Computer, Caller_User_Name, OldTargetUserName, NewTargetUserName | rename Computer as dest |
`suspicious_computer_account_name_change_filter`'
how_to_implement: To successfully implement this search, you need to be ingesting
Windows event logs from your hosts. In addition, the Splunk Windows TA is needed.
known_false_positives: Renaming a computer account name to a name that not end with
'$' is highly unsual and may not have any legitimate scenarios.
references:
- https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42278
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42287
tags:
analytic_story:
- sAMAccountName Spoofing and Domain Controller Impersonation
- Active Directory Privilege Escalation
asset_type: Endpoint
confidence: 70
cve:
- CVE-2021-42287
- CVE-2021-42278
impact: 100
message: A computer account $OldTargetUserName$ was renamed with a suspicious computer
name on $dest$
mitre_attack_id:
- T1078
- T1078.002
observable:
- name: dest
type: Endpoint
role:
- Victim
- name: OldTargetUserName
type: User
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- EventCode
- Computer
- Caller_User_Name
- OldTargetUserName
- NewTargetUserName
risk_score: 70
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/suspicious_computer_account_name_change/windows-xml.log
source: XmlWinEventLog:Security
sourcetype: XmlWinEventLog
update_timestamp: true