Windows DiagTrackEoP default login username
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detects exploitation of the DiagTrack privilege escalation vulnerability using the default username indicator.
Strategy
This rule monitors Windows Security Audit events, where @evt.id is 4624 for NewCredentials logon type 9 when @Event.EventData.Data.TargetOutboundUserName is set to “thisisnotvaliduser”. This specific username is a hardcoded indicator used by proof-of-concept exploits targeting the DiagTrack service privilege escalation vulnerability (CVE-2021-31958). The vulnerability allows local attackers to escalate privileges from low-privileged users to SYSTEM through manipulation of the Connected User Experiences and Telemetry service.
Triage and response
- Examine the source process and user context that triggered the NewCredentials logon with the default exploit username on
{{host}}. - Check for signs of successful privilege escalation by reviewing subsequent high-privilege process execution or system-level activities.
- Analyze the system for presence of known DiagTrack exploit tools or suspicious PowerShell activity that may have triggered the vulnerability.
- Review system patching status to determine if the CVE-2021-31958 vulnerability has been properly remediated.
- Investigate the initial access vector that allowed the attacker to execute the privilege escalation exploit on the system.
