sAMAccountName Spoofing
Computer accounts should have a trailing $ in their name (i.e. sAMAccountName attribute) but no validation process existed to make sure of it. Abused in combination with CVE-2021-42287, it allowed attackers to impersonate domain controller accounts.
PoC video
-to do
- Add detailed walkthrough without script use
- Add downloadable build scripts
- Add mitigation
- Add better IOC hunting solution.