Query Details
RULE 17 AD No Pac SAM Account Name Spoof
Query
// =========================================================
// RULE-17 | AD-NoPac-SAMAccountName-Spoof
// Description : NoPac / SAMAccountName Spoofing attack
// detection (CVE-2021-42278 + CVE-2021-42287).
// Detects the three-step sequence within a
// 5-minute window on the same host:
// 1. Event 4781 — Account name changed
// (machine account renamed to DC hostname)
// 2. Event 4768 — TGT requested for the
// renamed account
// 3. Event 4781 — Account name changed back
// The attack tricks the KDC into issuing a TGS
// as DC$ when requesting a service ticket for
// a non-existent account (the $ appended
// fallback behaviour).
// Severity : Critical (sequence detected)
// Frequency : Every 15 minutes, look-back 15 minutes
// MITRE : T1554 — Compromise Client Software Binary
// T1078.002 — Domain Accounts
// Tables : SecurityEvent
// =========================================================
let LookBack = 15m;
let SequenceWindow = 5m; // All 3 steps must occur within 5 min
// Known DC names (for rename-to-DC detection)
let KnownDCNames = SecurityEvent
| where TimeGenerated > ago(3d)
| where EventID == 4768
| summarize by DCName = toupper(trimend(Computer, "$"));
// Step 1 + Step 3: Account renames
let AccountRenames = SecurityEvent
| where TimeGenerated > ago(LookBack)
| where EventID == 4781 // Account name changed
| where TargetUserName endswith "$" // Machine account
| extend
RenameTime = TimeGenerated,
OldName = OldTargetUserName,
NewName = TargetUserName,
Actor = SubjectUserName,
ActorDomain = SubjectDomainName,
Host = Computer;
// Step 2: TGT requests for machine accounts in a name-change window
let TGTRequests = SecurityEvent
| where TimeGenerated > ago(LookBack)
| where EventID == 4768
| where TargetUserName !endswith "$" // No trailing $ = post-rename
| extend
TGTTime = TimeGenerated,
TGTAccount = toupper(TargetUserName),
TGTHost = Computer;
// Correlate: rename → TGT → rename back (same actor, same machine account)
AccountRenames
| where toupper(NewName) in~ (KnownDCNames) // Renamed TO a DC name
| join kind=inner (
AccountRenames
| where toupper(OldName) in~ (KnownDCNames) // Then renamed BACK from DC name
| project RenameBackTime = RenameTime,
RestoredName = NewName,
BackActor = Actor,
BackHost = Host
) on $left.Actor == $right.BackActor,
$left.Host == $right.BackHost
| where RenameBackTime > RenameTime
and RenameBackTime <= RenameTime + SequenceWindow
| join kind=inner (TGTRequests) on $left.Host == $right.TGTHost
| where TGTTime > RenameTime and TGTTime < RenameBackTime
| extend
Severity = "Critical",
AttackDuration_sec = datetime_diff("second", RenameBackTime, RenameTime),
WhySuspicious = strcat(
"NoPac_SAMAccountName_Spoof_CVE-2021-42278_42287; ",
"Rename_to_DC: ", NewName, "; ",
"TGT_Requested: ", TGTAccount, "; ",
"Rename_Back_at: ", tostring(RenameBackTime), "; ",
"Actor: ", Actor, "@", ActorDomain
)
| project
TimeGenerated = RenameTime,
Severity,
WhySuspicious,
Actor,
ActorDomain,
OldName,
NewName,
TGTAccount,
RenameBackTime,
AttackDuration_sec,
Host
| order by TimeGenerated desc
Explanation
This query is designed to detect a specific type of cyber attack known as the NoPac/SAMAccountName Spoofing attack, which exploits vulnerabilities identified as CVE-2021-42278 and CVE-2021-42287. Here's a simplified breakdown of what the query does:
-
Objective: The query aims to identify a sequence of events that indicate a potential attack on a network's domain controller (DC) by spoofing machine account names.
-
Sequence Detection: The attack is detected by looking for a specific sequence of three events that occur within a 5-minute window on the same host:
- Event 4781: A machine account's name is changed to match a DC's hostname.
- Event 4768: A Ticket Granting Ticket (TGT) is requested for the renamed account.
- Event 4781: The account name is changed back to its original name.
-
Data Sources: The query analyzes data from the
SecurityEventtable, focusing on events related to account name changes and TGT requests. -
Known DC Names: It first identifies known DC names by examining recent TGT requests.
-
Account Renames: It tracks account renames by filtering for Event 4781 and machine accounts (those ending with a "$").
-
TGT Requests: It identifies TGT requests for accounts that have been renamed (i.e., those without a trailing "$").
-
Correlation: The query correlates the rename events and TGT requests to detect the specific sequence of rename → TGT request → rename back, all performed by the same actor on the same host.
-
Output: If the sequence is detected, it flags the event as "Critical" and provides details such as the time of the attack, the actor involved, the old and new account names, and the duration of the attack.
-
Frequency: The query runs every 15 minutes, looking back over the past 15 minutes to catch any recent occurrences of the attack.
In summary, this query is a security measure to detect and alert on a sophisticated attack pattern that involves temporarily renaming machine accounts to impersonate a domain controller, thereby tricking the Key Distribution Center (KDC) into issuing unauthorized service tickets.
Details
David Alonso
Released: March 24, 2026
Tables
Keywords
Operators