{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/cpes/cpe2.3omicrosoftwindows_server_2012-/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:o:microsoft:windows_server_2004:*:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*","cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_server_20h2:*:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":7.5,"id":"CVE-2021-42278"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Active Directory"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","windows","active-directory","cve-2021-42278"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe rule identifies attempts to exploit CVE-2021-42278, a security vulnerability that allows attackers to impersonate a domain controller via samAccountName attribute spoofing. This vulnerability can be used to elevate privileges from a standard domain user to a user with domain admin privileges. The attack involves renaming a computer account (identified by a \u0026lsquo;$\u0026rsquo; suffix) to a user-like account name (without the \u0026lsquo;$\u0026rsquo; suffix). Successful exploitation can lead to complete domain compromise. This rule focuses on detecting the initial account rename activity, a critical step in the exploit chain.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker compromises a standard domain user account through phishing or other means.\u003c/li\u003e\n\u003cli\u003eAttacker uses the compromised user account to rename a computer account\u0026rsquo;s samAccountName attribute, removing the trailing \u0026lsquo;$\u0026rsquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages CVE-2021-42278 to request Kerberos tickets for the renamed account, effectively impersonating the computer account.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the impersonated computer account to request privileged Kerberos tickets.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to domain services using the privileged Kerberos tickets.\u003c/li\u003e\n\u003cli\u003eAttacker gains control over critical domain resources and services.\u003c/li\u003e\n\u003cli\u003eAttacker elevates privileges to domain administrator.\u003c/li\u003e\n\u003cli\u003eAttacker achieves complete domain compromise, enabling data exfiltration, ransomware deployment, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2021-42278 can lead to a complete compromise of the Active Directory domain. An attacker can gain domain administrator privileges, allowing them to control all domain resources, access sensitive data, deploy ransomware, and disrupt business operations. The vulnerability affects all unpatched Windows Server versions running Active Directory Domain Services.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Audit User Account Management to generate the necessary Windows Security Event Logs for detection. Reference: \u003ca href=\"https://ela.st/audit-user-account-management\"\u003eSetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eApply Microsoft\u0026rsquo;s hardening changes for CVE-2021-42278 to mitigate the vulnerability. Reference: \u003ca href=\"https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e\"\u003eKB5008102\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect SamAccountName Spoofing (CVE-2021-42278)\u003c/code\u003e to detect suspicious computer account renames.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the user account that initiated the rename and the target account.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T19:09:36Z","date_published":"2026-05-12T19:09:36Z","id":"https://feed.craftedsignal.io/briefs/2026-05-samaccountname-spoofing/","summary":"This rule detects potential privilege escalation attempts by exploiting CVE-2021-42278, which involves spoofing the samAccountName attribute to impersonate a domain controller and elevate privileges from a standard domain user to a domain administrator by identifying suspicious computer account name rename events where a machine account name is renamed to a user-like account name.","title":"Potential Privileged Escalation via SamAccountName Spoofing (CVE-2021-42278)","url":"https://feed.craftedsignal.io/briefs/2026-05-samaccountname-spoofing/"},{"_cs_actors":[],"_cs_cpes":["cpe:2.3:o:microsoft:windows_10_1507:*:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_10_1909:*:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_10_2004:*:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_10_20h2:*:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_10_21h1:*:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_11_21h2:*:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_server_2004:*:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*","cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_server_20h2:*:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":5.5,"id":"CVE-2021-41379"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Edge"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","cve-2021-41379","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe rule identifies a potential privilege escalation attempt by exploiting the InstallerTakeOver vulnerability (CVE-2021-41379). This vulnerability, when successfully exploited, allows an unprivileged user to gain SYSTEM-level privileges on a Windows system. The detection focuses on identifying suspicious processes running with SYSTEM privileges that deviate from the expected behavior of the \u003ccode\u003eelevation_service.exe\u003c/code\u003e, particularly those not signed by Microsoft or spawning command interpreters. The rule aims to detect exploitation attempts rather than the vulnerability itself. This is important for defenders because successful exploitation leads to full system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unprivileged user gains initial access to the system.\u003c/li\u003e\n\u003cli\u003eThe user leverages the InstallerTakeOver vulnerability to manipulate the Windows Installer service.\u003c/li\u003e\n\u003cli\u003eA malicious binary overwrites or replaces the legitimate \u003ccode\u003eelevation_service.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe compromised \u003ccode\u003eelevation_service.exe\u003c/code\u003e is executed with SYSTEM privileges.\u003c/li\u003e\n\u003cli\u003eThe modified \u003ccode\u003eelevation_service.exe\u003c/code\u003e spawns a command interpreter (cmd.exe, powershell.exe) or other malicious process.\u003c/li\u003e\n\u003cli\u003eThe spawned process inherits SYSTEM privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious actions using the elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence or performs lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2021-41379 allows an unprivileged user to escalate privileges to SYSTEM, leading to a complete compromise of the affected system. This can enable attackers to install malware, steal sensitive data, create new user accounts with administrative rights, or use the compromised system as a pivot point for further attacks within the network. The scope of impact depends on the attacker\u0026rsquo;s objectives and the compromised system\u0026rsquo;s role within the organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Potential InstallerFileTakeOver via Suspicious Service Execution\u0026rdquo; to your SIEM to detect suspicious execution of \u003ccode\u003eelevation_service.exe\u003c/code\u003e with unexpected original file name or code signature.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Potential InstallerFileTakeOver via Suspicious Child Process\u0026rdquo; to your SIEM to detect suspicious processes spawned by \u003ccode\u003eelevation_service.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReview and harden Windows Installer permissions to prevent unauthorized modifications as referenced in CVE-2021-41379.\u003c/li\u003e\n\u003cli\u003eMonitor file events for modifications to \u003ccode\u003eelevation_service.exe\u003c/code\u003e to identify potential service overwrite attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T19:00:53Z","date_published":"2026-05-12T19:00:53Z","id":"https://feed.craftedsignal.io/briefs/2026-05-installer-takeover/","summary":"This rule detects potential exploitation of the InstallerTakeOver vulnerability (CVE-2021-41379), where successful exploitation allows an unprivileged user to escalate privileges to SYSTEM.","title":"Potential Privilege Escalation via InstallerFileTakeOver (CVE-2021-41379)","url":"https://feed.craftedsignal.io/briefs/2026-05-installer-takeover/"}],"language":"en","title":"CraftedSignal Threat Feed — Cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*","version":"https://jsonfeed.org/version/1.1"}