Samirbous
26fb8e83a5
* [New Rule] Potential Privileged Escalation via SamAccountName Spoofing Identifies a suspicious computer account name rename event, this may indicate an attempt to exploit CVE-2021-42278 to elevated privileges from standard domain user to domain admin privileges. CVE-2021-42278 is a security vulnerability that allows potential attackers to impersonate a domain controller using computer account sAMAccountName spoofing. https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/ https://github.com/cube0x0/noPac EQL ``` iam where event.action == "renamed-user-account" and /* machine account name renamed to user like account name */ winlog.event_data.OldTargetUserName : "*$" and not winlog.event_data.NewTargetUserName : "*$" ``` * Create privilege_escalation_samaccountname_spoofing_attack.toml * Update non-ecs-schema.json * extra ref * toml linted * ref for MS kb5008102 * more ref * Update rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update non-ecs-schema.json Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
