Potential KDC RC4-HMAC Downgrade Exploit - CVE-2022-37966
Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation
Sigma rule (View on GitHub)
1title: Potential KDC RC4-HMAC Downgrade Exploit - CVE-2022-37966
2id: e6f81941-b1cd-4766-87db-9fc156f658ee
3status: test
4description: Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation
5references:
6 - https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d
7author: Florian Roth (Nextron Systems)
8date: 2022-11-09
9modified: 2025-11-03
10tags:
11 - attack.privilege-escalation
12 - detection.emerging-threats
13 - cve.2022-37966
14logsource:
15 product: windows
16 service: system
17detection:
18 selection:
19 EventID: 42
20 Provider_Name:
21 - 'Kerberos-Key-Distribution-Center'
22 - 'Microsoft-Windows-Kerberos-Key-Distribution-Center'
23 Level: 2 # Error
24 condition: selection
25falsepositives:
26 - Unknown
27level: high
References
-
KB5021131: How to manage the Kerberos protocol changes related to CVE-2022-37966 - Microsoft Support
You will need to verify that all your devices have a common Kerberos Encryption type. For more information about Kerberos Encryption types, see Decrypting the Selection of Supported Kerberos Encry...
Read More
Related rules
- Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection
- CVE-2021-1675 Print Spooler Exploitation Filename Pattern
- OMIGOD HTTP No Authentication RCE - CVE-2021-38647
- Potential Nimbuspwn Exploit CVE-2022-29799 and CVE-2022-27800
- Potential PrintNightmare Exploitation Attempt