Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1078-valid-accounts

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects exploitation of the DiagTrack privilege escalation vulnerability using the default username indicator.

Strategy

This rule monitors Windows Security Audit events, where @evt.id is 4624 for NewCredentials logon type 9 when @Event.EventData.Data.TargetOutboundUserName is set to “thisisnotvaliduser”. This specific username is a hardcoded indicator used by proof-of-concept exploits targeting the DiagTrack service privilege escalation vulnerability (CVE-2021-31958). The vulnerability allows local attackers to escalate privileges from low-privileged users to SYSTEM through manipulation of the Connected User Experiences and Telemetry service.

Triage and response

• Examine the source process and user context that triggered the NewCredentials logon with the default exploit username on {{host}}.
• Check for signs of successful privilege escalation by reviewing subsequent high-privilege process execution or system-level activities.
• Analyze the system for presence of known DiagTrack exploit tools or suspicious PowerShell activity that may have triggered the vulnerability.
• Review system patching status to determine if the CVE-2021-31958 vulnerability has been properly remediated.
• Investigate the initial access vector that allowed the attacker to execute the privilege escalation exploit on the system.