{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2021-42278/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:o:microsoft:windows_server_2004:*:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*","cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_server_20h2:*:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":7.5,"id":"CVE-2021-42278"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Active Directory"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","windows","active-directory","cve-2021-42278"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe rule identifies attempts to exploit CVE-2021-42278, a security vulnerability that allows attackers to impersonate a domain controller via samAccountName attribute spoofing. This vulnerability can be used to elevate privileges from a standard domain user to a user with domain admin privileges. The attack involves renaming a computer account (identified by a \u0026lsquo;$\u0026rsquo; suffix) to a user-like account name (without the \u0026lsquo;$\u0026rsquo; suffix). Successful exploitation can lead to complete domain compromise. This rule focuses on detecting the initial account rename activity, a critical step in the exploit chain.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker compromises a standard domain user account through phishing or other means.\u003c/li\u003e\n\u003cli\u003eAttacker uses the compromised user account to rename a computer account\u0026rsquo;s samAccountName attribute, removing the trailing \u0026lsquo;$\u0026rsquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages CVE-2021-42278 to request Kerberos tickets for the renamed account, effectively impersonating the computer account.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the impersonated computer account to request privileged Kerberos tickets.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to domain services using the privileged Kerberos tickets.\u003c/li\u003e\n\u003cli\u003eAttacker gains control over critical domain resources and services.\u003c/li\u003e\n\u003cli\u003eAttacker elevates privileges to domain administrator.\u003c/li\u003e\n\u003cli\u003eAttacker achieves complete domain compromise, enabling data exfiltration, ransomware deployment, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2021-42278 can lead to a complete compromise of the Active Directory domain. An attacker can gain domain administrator privileges, allowing them to control all domain resources, access sensitive data, deploy ransomware, and disrupt business operations. The vulnerability affects all unpatched Windows Server versions running Active Directory Domain Services.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Audit User Account Management to generate the necessary Windows Security Event Logs for detection. Reference: \u003ca href=\"https://ela.st/audit-user-account-management\"\u003eSetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eApply Microsoft\u0026rsquo;s hardening changes for CVE-2021-42278 to mitigate the vulnerability. Reference: \u003ca href=\"https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e\"\u003eKB5008102\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect SamAccountName Spoofing (CVE-2021-42278)\u003c/code\u003e to detect suspicious computer account renames.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the user account that initiated the rename and the target account.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T19:09:36Z","date_published":"2026-05-12T19:09:36Z","id":"https://feed.craftedsignal.io/briefs/2026-05-samaccountname-spoofing/","summary":"This rule detects potential privilege escalation attempts by exploiting CVE-2021-42278, which involves spoofing the samAccountName attribute to impersonate a domain controller and elevate privileges from a standard domain user to a domain administrator by identifying suspicious computer account name rename events where a machine account name is renamed to a user-like account name.","title":"Potential Privileged Escalation via SamAccountName Spoofing (CVE-2021-42278)","url":"https://feed.craftedsignal.io/briefs/2026-05-samaccountname-spoofing/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2021-42278","version":"https://jsonfeed.org/version/1.1"}