SAMAccountName Impersonation



The critical CVE-2021-42287 can lead to an elevation of privileges on the domain from a standard account. The flaw arises from bad handling of requests targeting an object with a nonexistent sAMAccountName attribute. The domain controller automatically adds a trailing dollar sign ($) to the sAMAccountName value if it doesn't find one, which can lead to the impersonation of a targeted computer account.

See Also

MITRE ATT&CK description

KB5008380 - Authentication updates (CVE-2021-42287)

CVE-2021-42287/CVE-2021-42278 Weaponisation

PACRequestorEnforcement and Kerberos Authentication

Indicator Details

Name: SAMAccountName Impersonation

Codename: I-SamNameImpersonation

Severity: High

MITRE ATT&CK Information:
ID: T1068
Sub-technique of: T1068
Tactic: TA0004