Classification:

attack

Tactic:

TA0004-privilege-escalation

Technique:

T1078-valid-accounts

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects systems or accounts named “samtheadmin” that indicate compromise through unauthorized privilege escalation and persistence.

Strategy

This rule monitors Windows events for the specific string patterns “samtheadmin” or “SAMTHEADMIN” in both @Event.EventData.Data.SamAccountName and @Event.EventData.Data.TargetUserName fields. These naming patterns are associated with targeted attack campaigns where adversaries create administrative accounts or rename systems during post-exploitation activities.

The “samtheadmin” naming convention is a strong indicator of compromise as legitimate administrators avoid using such obvious administrative naming conventions that draw attention to privileged accounts.

Triage & Response

• Verify the suspicious account or computer name existence on {{host}}.
• Determine when the account was created or system was renamed.
• Review authentication logs for activity involving the suspicious account.
• Examine assigned privileges and group memberships for privilege escalation.
• Search for concurrent suspicious account creation activities.
• Investigate lateral movement attempts from the compromised system.
• Reset all administrative credentials that may have been compromised.
• Isolate affected systems from the network.