KDC RC4-HMAC Downgrade CVE-2022-37966
Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation
Sigma rule (View on GitHub)
1title: KDC RC4-HMAC Downgrade CVE-2022-37966
2id: e6f81941-b1cd-4766-87db-9fc156f658ee
3status: test
4description: Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation
5references:
6 - https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d
7author: Florian Roth (Nextron Systems)
8date: 2022/11/09
9tags:
10 - attack.privilege_escalation
11logsource:
12 product: windows
13 service: system
14detection:
15 selection:
16 EventID: 42
17 Provider_Name: 'Kerberos-Key-Distribution-Center'
18 Level: 2 # Error
19 condition: selection
20falsepositives:
21 - Unknown
22level: high
References
-
KB5021131: How to manage the Kerberos protocol changes related to CVE-2022-37966 - Microsoft Support
You will need to verify that all your devices have a common Kerberos Encryption type. For more information about Kerberos Encryption types, see Decrypting the Selection of Supported Kerberos Encry...
Read More
Related rules
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Account Tampering - Suspicious Failed Logon Reasons
- Application AppID Uri Configuration Changes
- Application URI Configuration Changes