[New Rule] Potential Privileged Escalation via SamAccountName Spoofing (#1660)
* [New Rule] Potential Privileged Escalation via SamAccountName Spoofing
Identifies a suspicious computer account name rename event, this may indicate an attempt to exploit CVE-2021-42278 to elevated privileges from standard domain user to domain admin privileges. CVE-2021-42278 is a security vulnerability that allows potential attackers to impersonate a domain controller using computer account sAMAccountName spoofing.
https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/
https://github.com/cube0x0/noPac
EQL
```
iam where event.action == "renamed-user-account" and
/* machine account name renamed to user like account name */
winlog.event_data.OldTargetUserName : "*$" and not winlog.event_data.NewTargetUserName : "*$"
```
* Create privilege_escalation_samaccountname_spoofing_attack.toml
* Update non-ecs-schema.json
* extra ref
* toml linted
* ref for MS kb5008102
* more ref
* Update rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
* Update rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
* Update non-ecs-schema.json
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
(cherry picked from commit 26fb8e83a5)
This commit is contained in:
Samirbous
committed by
github-actions[bot]
github-actions[bot]
parent
883eed11ac
commit
37d528d98f
@@ -23,7 +23,9 @@
|
||||
"TargetImage": "keyword",
|
||||
"TargetLogonId": "keyword",
|
||||
"TargetProcessGUID": "keyword",
|
||||
"TargetSid": "keyword"
|
||||
"TargetSid": "keyword",
|
||||
"OldTargetUserName": "keyword",
|
||||
"NewTargetUserName": "keyword"
|
||||
}
|
||||
},
|
||||
"winlog.logon.type": "keyword",
|
||||
|
||||
@@ -0,0 +1,68 @@
|
||||
[metadata]
|
||||
creation_date = "2021/12/12"
|
||||
maturity = "production"
|
||||
updated_date = "2021/12/12"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Identifies a suspicious computer account name rename event, which may indicate an attempt to exploit CVE-2021-42278 to
|
||||
elevate privileges from a standard domain user to a user with domain admin privileges. CVE-2021-42278 is a security vulnerability
|
||||
that allows potential attackers to impersonate a domain controller via samAccountName attribute spoofing.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["winlogbeat-*", "logs-windows.*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Potential Privileged Escalation via SamAccountName Spoofing"
|
||||
references = [
|
||||
"https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e",
|
||||
"https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/",
|
||||
"https://github.com/cube0x0/noPac",
|
||||
"https://twitter.com/exploitph/status/1469157138928914432",
|
||||
"https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html",
|
||||
]
|
||||
risk_score = 73
|
||||
rule_id = "bdcf646b-08d4-492c-870a-6c04e3700034"
|
||||
severity = "high"
|
||||
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Privilege Escalation"]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
iam where event.action == "renamed-user-account" and
|
||||
/* machine account name renamed to user like account name */
|
||||
winlog.event_data.OldTargetUserName : "*$" and not winlog.event_data.NewTargetUserName : "*$"
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
reference = "https://attack.mitre.org/techniques/T1078/"
|
||||
name = "Valid Accounts"
|
||||
id = "T1078"
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
reference = "https://attack.mitre.org/techniques/T1078/002/"
|
||||
name = "Domain Accounts"
|
||||
id = "T1078.002"
|
||||
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
reference = "https://attack.mitre.org/tactics/TA0004/"
|
||||
name = "Privilege Escalation"
|
||||
id = "TA0004"
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
reference = "https://attack.mitre.org/techniques/T1098/"
|
||||
name = "Account Manipulation"
|
||||
id = "T1098"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
reference = "https://attack.mitre.org/tactics/TA0003/"
|
||||
name = "Persistence"
|
||||
id = "TA0003"
|
||||
|
||||
Reference in New Issue
Block a user