KDC RC4-HMAC Downgrade CVE-2022-37966
Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation
Sigma rule (View on GitHub)
1title: KDC RC4-HMAC Downgrade CVE-2022-37966
2id: e6f81941-b1cd-4766-87db-9fc156f658ee
3status: test
4description: Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation
5references:
6 - https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d
7author: Florian Roth (Nextron Systems)
8date: 2022-11-09
9tags:
10 - attack.privilege-escalation
11logsource:
12 product: windows
13 service: system
14detection:
15 selection:
16 EventID: 42
17 Provider_Name: 'Kerberos-Key-Distribution-Center'
18 Level: 2 # Error
19 condition: selection
20falsepositives:
21 - Unknown
22level: high
References
Related rules
- ADCS Certificate Template Configuration Vulnerability
- ADCS Certificate Template Configuration Vulnerability with Risky EKU
- APT PRIVATELOG Image Load Pattern
- AWS Attached Malicious Lambda Layer
- AWS Glue Development Endpoint Activity