Windows suspicious computer name containing Samtheadmin
Goal
Detects systems or accounts named “samtheadmin” that indicate compromise through unauthorized privilege escalation and persistence.
Strategy
This rule monitors Windows events for the specific string patterns “samtheadmin” or “SAMTHEADMIN” in both @Event.EventData.Data.SamAccountName
and @Event.EventData.Data.TargetUserName
fields. These naming patterns are associated with targeted attack campaigns where adversaries create administrative accounts or rename systems during post-exploitation activities.
The “samtheadmin” naming convention is a strong indicator of compromise as legitimate administrators avoid using such obvious administrative naming conventions that draw attention to privileged accounts.
Triage & Response
- Verify the suspicious account or computer name existence on
{{host}}
. - Determine when the account was created or system was renamed.
- Review authentication logs for activity involving the suspicious account.
- Examine assigned privileges and group memberships for privilege escalation.
- Search for concurrent suspicious account creation activities.
- Investigate lateral movement attempts from the compromised system.
- Reset all administrative credentials that may have been compromised.
- Isolate affected systems from the network.