Emerging Threatmediumtest
Potential CVE-2021-42278 Exploitation Attempt
The attacker creates a computer object using those permissions with a password known to her. After that she clears the attribute ServicePrincipalName on the computer object. Because she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Emerging Threat
Active Threat
Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.
Log Source
Windowssystem
ProductWindows← raw: windows
Servicesystem← raw: system
Detection Logic
Detection Logic1 selector
detection:
selection:
Provider_Name: 'Microsoft-Windows-Kerberos-Key-Distribution-Center' # Active Directory
EventID:
- 35 # PAC without attributes
- 36 # Ticket without a PAC
- 37 # Ticket without Requestor
- 38 # Requestor Mismatch
condition: selectionFalse Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
References
MITRE ATT&CK
Tactics
Sub-techniques
Other
cve.2021-42278detection.emerging-threats
Rule Metadata
Rule ID
44bbff3e-4ca3-452d-a49a-6efa4cafa06f
Status
test
Level
medium
Type
Emerging Threat
Created
Wed Dec 15
Modified
Fri Apr 14
Author
Path
rules-emerging-threats/2021/Exploits/CVE-2021-42278/win_system_exploit_cve_2021_42278.yml
Raw Tags
attack.credential-accessattack.t1558.003cve.2021-42278detection.emerging-threats