Home/CVE-2021-42287/Sigma rules
Sigma

Sigma rules for CVE-2021-42287

2 rules · scoped to cve · back to CVE-2021-42287
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.

Detection rules

2 of 2
direct high
Suspicious Computer Account Name Change CVE-2021-42287
Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287
status test author Florian Roth (Nextron Systems) id 45eb2ae2-9aa2-4c3a-99a5-6e5077655466 license Sigma · DRL-1.1
view Sigma YAML 
title: Suspicious Computer Account Name Change CVE-2021-42287
id: 45eb2ae2-9aa2-4c3a-99a5-6e5077655466
status: test
description: Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287
references:
    - https://medium.com/@mvelazco/hunting-for-samaccountname-spoofing-cve-2021-42287-and-domain-controller-impersonation-f704513c8a45
author: Florian Roth (Nextron Systems)
date: 2021-12-22
modified: 2022-12-25
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.stealth
    - attack.t1036
    - attack.t1098
    - cve.2021-42287
    - detection.emerging-threats
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4781 # rename user
        OldTargetUserName|contains: '$'
    filter:
        NewTargetUserName|contains: '$'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high
direct medium
Potential CVE-2021-42287 Exploitation Attempt
The attacker creates a computer object using those permissions with a password known to her. After that she clears the attribute ServicePrincipalName on the computer object. Because she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.
status test author frack113 id e80a0fee-1a62-4419-b31e-0d0db6e6013a license Sigma · DRL-1.1
view Sigma YAML 
title: Potential CVE-2021-42287 Exploitation Attempt
id: e80a0fee-1a62-4419-b31e-0d0db6e6013a
related:
    - id: 44bbff3e-4ca3-452d-a49a-6efa4cafa06f
      type: similar
status: test
description: |
    The attacker creates a computer object using those permissions with a password known to her.
    After that she clears the attribute ServicePrincipalName on the computer object.
    Because she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.
references:
    - https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/
author: frack113
date: 2021-12-15
modified: 2023-04-14
tags:
    - attack.credential-access
    - attack.t1558.003
    - detection.emerging-threats
    - cve.2021-42287
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: Microsoft-Windows-Directory-Services-SAM  # Active Directory
        EventID:
            - 16990 # Object class and UserAccountControl validation failure
            - 16991 # SAM Account Name validation failure
    condition: selection
falsepositives:
    - Unknown
level: medium
Showing 1-2 of 2
Prev 1 Next
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Recently exploited
Daily brief
Change tracking
Detection Engineering
Detection coverage workspace
Saved stacks
SIEM query builder
Detection rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Ransomware groups
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Atlas Search Threat actors Techniques Detection coverage Tools & malware CWE CAPEC KEV catalog Package vulns
About All capabilities Pricing API docs Privacy policy Terms of service
threatengine.sh