Suspicious Computer name containing SamTheAdmin

Last updated on:

About the rule

Rule Type

Standard

Rule Description

Detects suspicious computer account name patterns associated with the SamTheAdmin technique, where attackers manipulate machine account names to impersonate privileged users and exploit domain controller vulnerabilities.

Severity

Attention

Rule Requirement

Criteria

Action1: actionname = "Machine account modified" AND (SAMACCOUNTNAME startswith "SAMTHEADMIN-" AND SAMACCOUNTNAME endswith "$") select Action1.HOSTNAME,Action1.MESSAGE,Action1.DOMAIN,Action1.TARGETDOMAIN,Action1.TARGETMACHINE,Action1.USERNAME,Action1.CHANGES,Action1.DISPLAYNAME,Action1.SAMACCOUNTNAME,Action1.USERPRINCIPALNAME

Detection

Execution Mode

realtime

Log Sources

Active Directory

Author

@elhoim