Emerging Threathightest

Suspicious Computer Account Name Change CVE-2021-42287

Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Florian Roth (Nextron Systems)Created Wed Dec 22Updated Sun Dec 2545eb2ae2-9aa2-4c3a-99a5-6e50776554662021

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

Windowssecurity

ProductWindows← raw: windows

Servicesecurity← raw: security

Detection Logic

detection:
    selection:
        EventID: 4781 # rename user
        OldTargetUserName|contains: '$'
    filter:
        NewTargetUserName|contains: '$'
    condition: selection and not filter

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

medium.com

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0005 · Defense Evasion TA0003 · Persistence

Techniques

T1036 · Masquerading T1098 · Account Manipulation

Other

cve.2021-42287detection.emerging-threats

Rule Metadata

Rule ID

45eb2ae2-9aa2-4c3a-99a5-6e5077655466

Status

test

Level

high

Type

Emerging Threat

Created

Wed Dec 22

Modified

Sun Dec 25

Author

Florian Roth (Nextron Systems)

Path

rules-emerging-threats/2021/Exploits/CVE-2021-42287/win_security_samaccountname_spoofing_cve_2021_42287.yml

Raw Tags

attack.privilege-escalationattack.defense-evasionattack.persistenceattack.t1036attack.t1098cve.2021-42287detection.emerging-threats

View on GitHub