Detectioncriticaltest
Win Susp Computer Name Containing Samtheadmin
Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security
Detection Logic
Detection Logic2 selectors
detection:
# Not adding an EventID on purpose to try to match on any event in security (including use of account), not just 4741 (computer account created)
selection1:
SamAccountName|startswith: 'SAMTHEADMIN-'
SamAccountName|endswith: '$'
selection2:
TargetUserName|startswith: 'SAMTHEADMIN-'
TargetUserName|endswith: '$'
condition: 1 of selection*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Tactics
Techniques
Other
cve.2021-42278cve.2021-42287
Rule Metadata
Rule ID
39698b3f-da92-4bc6-bfb5-645a98386e45
Status
test
Level
critical
Type
Detection
Created
Fri Sep 09
Modified
Wed Jan 04
Author
Path
rules/windows/builtin/security/win_security_susp_computer_name.yml
Raw Tags
attack.initial-accessattack.defense-evasioncve.2021-42278cve.2021-42287attack.persistenceattack.privilege-escalationattack.t1078