SAM-Name-Changes-CVE-2021-42278

Hunt Hypothesis

Adversaries may change device names in the network to mask their presence and evade detection, leveraging CVE-2021-42278 to manipulate network visibility. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or persistence tactics early.

KQL Query

IdentityDirectoryEvents
| where Timestamp > ago(1d)
| where ActionType == "SAM Account Name changed"
| extend FROMSAM = parse_json(AdditionalFields)['FROM SAM Account Name']
| extend TOSAM = parse_json(AdditionalFields)['TO SAM Account Name']
| where (FROMSAM has "$" and TOSAM !has "$") 
        or TOSAM in ("DC1", "DC2", "DC3", "DC4") // DC Names in the org
| project Timestamp, Application, ActionType, TargetDeviceName, FROMSAM, TOSAM, ReportId, AdditionalFields

Analytic Rule Definition

id: 89ce68d5-dd48-4f3f-b102-336fc4ebdda9
name: SAM-Name-Changes-CVE-2021-42278
description: |
  The following query detects possible CVE-2021-42278 exploitation by finding changes of device names in the network using Microsoft Defender for Identity
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - IdentityDirectoryEvents
tactics:
- Privilege escalation
- Vulnerability
query: |
  IdentityDirectoryEvents
  | where Timestamp > ago(1d)
  | where ActionType == "SAM Account Name changed"
  | extend FROMSAM = parse_json(AdditionalFields)['FROM SAM Account Name']
  | extend TOSAM = parse_json(AdditionalFields)['TO SAM Account Name']
  | where (FROMSAM has "$" and TOSAM !has "$") 
          or TOSAM in ("DC1", "DC2", "DC3", "DC4") // DC Names in the org
  | project Timestamp, Application, ActionType, TargetDeviceName, FROMSAM, TOSAM, ReportId, AdditionalFields

Required Data Sources

Sentinel Table	Notes
`IdentityDirectoryEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Privilege escalation
Tactic: Vulnerability

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Privilege escalation/SAM-Name-Changes-CVE-2021-42278.yaml)

False Positive Guidance

Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that changes the device name as part of routine system maintenance or configuration updates.
Filter/Exclusion: DeviceName contains "Maintenance" or "SystemUpdate" or "ScheduledTask"
Scenario: Active Directory Replication or Sync Job
Description: An Active Directory replication or synchronization job temporarily changes device names during domain controller synchronization.
Filter/Exclusion: ComputerName contains "DC" or "DomainController" or "ADReplication"
Scenario: Microsoft Endpoint Manager (MEM) Device Name Update
Description: A device name is updated via Microsoft Endpoint Manager (MEM) as part of device enrollment or policy enforcement.
Filter/Exclusion: ComputerName contains "MEM" or "Intune" or "DeviceEnrollment"
Scenario: Network Device Configuration Change via PowerShell
Description: A network administrator uses PowerShell to change the device name of a network switch or router as part of a configuration update.
Filter/Exclusion: ComputerName contains "Switch" or "Router" or "NetworkDevice" or "PowerShell"
Scenario: User-Initiated Device Rename via Remote Desktop
Description: An admin renames a device using Remote Desktop or other remote management tools as part of troubleshooting or reconfiguration.
Filter/Exclusion: ComputerName contains "Admin" or "RemoteDesktop" or "RDP" or "UserRenamed"