Detection rules › Splunk
Suspicious Computer Account Name Change
The following analytic detects a suspicious computer account name change in Active Directory. It leverages Event ID 4781, which logs account name changes, to identify instances where a computer account name is changed to one that does not end with a $. This behavior is significant as it may indicate an attempt to exploit CVE-2021-42278 and CVE-2021-42287, which can lead to domain controller impersonation and privilege escalation. If confirmed malicious, this activity could allow an attacker to gain elevated privileges and potentially control the domain.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1078.002 Valid Accounts: Domain Accounts |
| Persistence | T1078.002 Valid Accounts: Domain Accounts |
| Privilege Escalation | T1078.002 Valid Accounts: Domain Accounts |
| Defense Evasion | T1078.002 Valid Accounts: Domain Accounts |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4781 | The name of an account was changed. |
Stages and Predicates
Stage 1: search
search EventCode=4781 NewTargetUserName!="*$" OldTargetUserName="*$"
Stage 2: table
table Caller_User_Name, Computer, NewTargetUserName, OldTargetUserName, _time
Stage 3: rename
rename
Stage 4: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
NewTargetUserName | ne |
|
OldTargetUserName | eq |
|