sigma-rules

Files

T

Samirbous c8671b4a1e [New Rule] Potential Privileged Escalation via SamAccountName Spoofing (#1660 )

* [New Rule] Potential Privileged Escalation via SamAccountName Spoofing

Identifies a suspicious computer account name rename event, this may indicate an attempt to exploit CVE-2021-42278 to elevated privileges from standard domain user to domain admin privileges. CVE-2021-42278 is a security vulnerability that allows potential attackers to impersonate a domain controller using computer account sAMAccountName spoofing.

https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/
https://github.com/cube0x0/noPac

EQL

```
iam where event.action == "renamed-user-account" and
  /* machine account name renamed to user like account name */
  winlog.event_data.OldTargetUserName : "*$" and not winlog.event_data.NewTargetUserName : "*$"
```

* Create privilege_escalation_samaccountname_spoofing_attack.toml

* Update non-ecs-schema.json

* extra ref

* toml linted

* ref for MS kb5008102

* more ref

* Update rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update non-ecs-schema.json

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 26fb8e83a5)

2022-01-27 14:49:15 +00:00

api_schemas

(manually cherry picked from commit 2e78da5c9a)

2022-01-25 18:49:15 -09:00

beats_schemas

(manually cherry picked from commit 2e78da5c9a)

2022-01-25 18:49:15 -09:00

ecs_schemas

(manually cherry picked from commit 2e78da5c9a)

2022-01-25 18:49:15 -09:00

attack-crosswalk.json

[Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706 )