KDC RC4-HMAC Downgrade CVE-2022-37966
Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation
Sigma rule (View on GitHub)
1title: KDC RC4-HMAC Downgrade CVE-2022-37966
2id: e6f81941-b1cd-4766-87db-9fc156f658ee
3status: test
4description: Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation
5references:
6 - https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d
7author: Florian Roth (Nextron Systems)
8date: 2022-11-09
9modified: 2025-09-22
10tags:
11 - attack.privilege-escalation
12logsource:
13 product: windows
14 service: system
15detection:
16 selection:
17 EventID: 42
18 Provider_Name:
19 - 'Kerberos-Key-Distribution-Center'
20 - 'Microsoft-Windows-Kerberos-Key-Distribution-Center'
21 Level: 2 # Error
22 condition: selection
23falsepositives:
24 - Unknown
25level: high
References
-
KB5021131: How to manage the Kerberos protocol changes related to CVE-2022-37966 - Microsoft Support
You will need to verify that all your devices have a common Kerberos Encryption type. For more information about Kerberos Encryption types, see Decrypting the Selection of Supported Kerberos Encry...
Read More
Related rules
- Certificate Use With No Strong Mapping
- New Service Creation Using Sc.EXE
- Suspicious Service Installation Script
- New Federated Domain Added
- Remote Thread Creation By Uncommon Source Image