Suspicious Computer name containing SamTheAdmin
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects suspicious computer account name patterns associated with the SamTheAdmin technique, where attackers manipulate machine account names to impersonate privileged users and exploit domain controller vulnerabilities.
Severity
Attention
Rule Requirement
Criteria
Action1:
actionname = "Machine account modified" AND (SAMACCOUNTNAME startswith "SAMTHEADMIN-" AND SAMACCOUNTNAME endswith "$")
select Action1.HOSTNAME,Action1.MESSAGE,Action1.DOMAIN,Action1.TARGETDOMAIN,Action1.TARGETMACHINE,Action1.USERNAME,Action1.CHANGES,Action1.DISPLAYNAME,Action1.SAMACCOUNTNAME,Action1.USERPRINCIPALNAME
Detection
Execution Mode
realtime
Log Sources
Active Directory
Author
@elhoim


