Emerging Threatmediumtest
Potential CVE-2021-42287 Exploitation Attempt
The attacker creates a computer object using those permissions with a password known to her. After that she clears the attribute ServicePrincipalName on the computer object. Because she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Emerging Threat
Active Threat
Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.
Log Source
Windowssystem
ProductWindows← raw: windows
Servicesystem← raw: system
Detection Logic
Detection Logic1 selector
detection:
selection:
Provider_Name: Microsoft-Windows-Directory-Services-SAM # Active Directory
EventID:
- 16990 # Object class and UserAccountControl validation failure
- 16991 # SAM Account Name validation failure
condition: selectionFalse Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
References
MITRE ATT&CK
Tactics
Sub-techniques
Other
detection.emerging-threatscve.2021-42287
Rule Metadata
Rule ID
e80a0fee-1a62-4419-b31e-0d0db6e6013a
Status
test
Level
medium
Type
Emerging Threat
Created
Wed Dec 15
Modified
Fri Apr 14
Author
Path
rules-emerging-threats/2021/Exploits/CVE-2021-42287/win_system_exploit_cve_2021_42287.yml
Raw Tags
attack.credential-accessattack.t1558.003detection.emerging-threatscve.2021-42287