Analytics Story: sAMAccountName Spoofing and Domain Controller Impersonation
Description
Monitor for activities and techniques associated with the exploitation of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) vulnerabilities.
Why it matters
On November 9, 2021, Microsoft released patches to address two vulnerabilities that affect Windows Active Directory networks, sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287). On December 10, 2021, security researchers Charlie Clark and Andrew Schwartz released a blog post where they shared how to weaponise these vulnerabilities in a target network an the initial detection opportunities. When successfully exploited, CVE-2021-42278 and CVE-2021-42287 allow an adversary, who has stolen the credentials of a low priviled domain user, to obtain a Kerberos Service ticket for a Domain Controller computer account. The only requirement is to have network connectivity to a domain controller. This attack vector effectivelly allows attackers to escalate their privileges in an Active Directory from a regular domain user account and take control of a domain controller. While patches have been released to address these vulnerabilities, deploying detection controls for this attack may help help defenders identify attackers attempting exploitation.
Detections
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Windows Event Log Security 4768 |  Windows |
xmlwineventlog |
XmlWinEventLog:Security |
| Windows Event Log Security 4769 | Windows |
xmlwineventlog |
XmlWinEventLog:Security |
| Windows Event Log Security 4781 | Windows |
xmlwineventlog |
XmlWinEventLog:Security |
References
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42278
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42287
- https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html
Source: GitHub | Version: 1