From 9c3f72b7c49a9660c0ab5298e5fb858018da3570 Mon Sep 17 00:00:00 2001
From: Daniel Naim <40626732+danaim1@users.noreply.github.com>
Date: Wed, 15 Dec 2021 15:01:58 +0200
Subject: [PATCH 1/2] Create SAM-Name-Changes-CVE-2021-42278

---
 .../SAM-Name-Changes-CVE-2021-42278           | 45 +++++++++++++++++++
 1 file changed, 45 insertions(+)
 create mode 100644 Privilege escalation/SAM-Name-Changes-CVE-2021-42278

diff --git a/Privilege escalation/SAM-Name-Changes-CVE-2021-42278 b/Privilege escalation/SAM-Name-Changes-CVE-2021-42278
new file mode 100644
index 0000000..3e29a6d
--- /dev/null
+++ b/Privilege escalation/SAM-Name-Changes-CVE-2021-42278	
@@ -0,0 +1,45 @@
+# Active Directory Domain Services Elevation of Privilege Vulnerability, CVE-2021-42278
+
+The following query detects possible CVE-2021-42278 exploitation by finding changes of device names in the network using Microsoft Defender for Identity
+## Query
+
+```Kusto
+IdentityDirectoryEvents
+| where Timestamp > ago(1d)
+| where ActionType == "SAM Account Name changed"
+| extend FROMSAM = parse_json(AdditionalFields)['FROM SAM Account Name']
+| extend TOSAM = parse_json(AdditionalFields)['TO SAM Account Name']
+| where (FROMSAM has "$" and TOSAM !has "$") 
+        or TOSAM in ("DC1", "DC2", "DC3", "DC4") // DC Names in the org
+| project Timestamp, Application, ActionType, TargetDeviceName, FROMSAM, TOSAM, ReportId, AdditionalFields
+```
+
+## Category
+
+This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
+
+| Technique, tactic, or state | Covered? (v=yes) | Notes |
+|-|-|-|
+| Initial access |  |  |
+| Execution |  |  |
+| Persistence |  |  |
+| Privilege escalation | v |  |
+| Defense evasion |  |  |
+| Credential Access |  |  |
+| Discovery |  |  |
+| Lateral movement |  |  |
+| Collection |  |  |
+| Command and control |  |  |
+| Exfiltration |  |  |
+| Impact |  |  |
+| Vulnerability | v |  |
+| Misconfiguration |  |  |
+| Malware, component |  |  |
+
+## See also
+
+* [Active Directory Domain Services Elevation of Privilege Vulnerability](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42278)
+
+## Contributor info
+
+**Contributor:** Microsoft Defender for Identity team

From d9cbd24e8528df1abd188b92b76616fcb30ce73d Mon Sep 17 00:00:00 2001
From: tali-ash <63594865+tali-ash@users.noreply.github.com>
Date: Thu, 16 Dec 2021 09:54:50 +0200
Subject: [PATCH 2/2] Rename SAM-Name-Changes-CVE-2021-42278 to
 SAM-Name-Changes-CVE-2021-42278.md

---
 ...-Changes-CVE-2021-42278 => SAM-Name-Changes-CVE-2021-42278.md} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename Privilege escalation/{SAM-Name-Changes-CVE-2021-42278 => SAM-Name-Changes-CVE-2021-42278.md} (100%)

diff --git a/Privilege escalation/SAM-Name-Changes-CVE-2021-42278 b/Privilege escalation/SAM-Name-Changes-CVE-2021-42278.md
similarity index 100%
rename from Privilege escalation/SAM-Name-Changes-CVE-2021-42278
rename to Privilege escalation/SAM-Name-Changes-CVE-2021-42278.md