Skip to content
Threat Feed
high advisory

Potential Privileged Escalation via SamAccountName Spoofing (CVE-2021-42278)

This rule detects potential privilege escalation attempts by exploiting CVE-2021-42278, which involves spoofing the samAccountName attribute to impersonate a domain controller and elevate privileges from a standard domain user to a domain administrator by identifying suspicious computer account name rename events where a machine account name is renamed to a user-like account name.

The rule identifies attempts to exploit CVE-2021-42278, a security vulnerability that allows attackers to impersonate a domain controller via samAccountName attribute spoofing. This vulnerability can be used to elevate privileges from a standard domain user to a user with domain admin privileges. The attack involves renaming a computer account (identified by a ‘$’ suffix) to a user-like account name (without the ‘$’ suffix). Successful exploitation can lead to complete domain compromise. This rule focuses on detecting the initial account rename activity, a critical step in the exploit chain.

Attack Chain

  1. Attacker compromises a standard domain user account through phishing or other means.
  2. Attacker uses the compromised user account to rename a computer account’s samAccountName attribute, removing the trailing ‘$’.
  3. The attacker leverages CVE-2021-42278 to request Kerberos tickets for the renamed account, effectively impersonating the computer account.
  4. The attacker uses the impersonated computer account to request privileged Kerberos tickets.
  5. The attacker authenticates to domain services using the privileged Kerberos tickets.
  6. Attacker gains control over critical domain resources and services.
  7. Attacker elevates privileges to domain administrator.
  8. Attacker achieves complete domain compromise, enabling data exfiltration, ransomware deployment, or other malicious activities.

Impact

Successful exploitation of CVE-2021-42278 can lead to a complete compromise of the Active Directory domain. An attacker can gain domain administrator privileges, allowing them to control all domain resources, access sensitive data, deploy ransomware, and disrupt business operations. The vulnerability affects all unpatched Windows Server versions running Active Directory Domain Services.

Recommendation

  • Enable Audit User Account Management to generate the necessary Windows Security Event Logs for detection. Reference: Setup instructions.
  • Apply Microsoft’s hardening changes for CVE-2021-42278 to mitigate the vulnerability. Reference: KB5008102.
  • Deploy the Sigma rule Detect SamAccountName Spoofing (CVE-2021-42278) to detect suspicious computer account renames.
  • Investigate any alerts generated by the Sigma rule, focusing on the user account that initiated the rename and the target account.

Detection coverage 2

Detect SamAccountName Spoofing (CVE-2021-42278)

high

Detects CVE-2021-42278 exploitation — suspicious computer account name rename event indicating potential privilege escalation attempt by spoofing the samAccountName attribute.

sigma tactics: privilege_escalation techniques: T1068 sources: process_creation, windows

Detect SamAccountName Spoofing - Renamed Event (CVE-2021-42278)

high

Detects CVE-2021-42278 exploitation — detects when a computer account (ends with $) is renamed to a non-computer account.

sigma tactics: privilege_escalation techniques: T1068 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →