Emerging Threathightest

Potential KDC RC4-HMAC Downgrade Exploit - CVE-2022-37966

Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Florian Roth (Nextron Systems)Created Wed Nov 09Updated Mon Nov 03e6f81941-b1cd-4766-87db-9fc156f658ee2022

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

Windowssystem

ProductWindows← raw: windows

Servicesystem← raw: system

Detection Logic

detection:
    selection:
        EventID: 42
        Provider_Name:
            - 'Kerberos-Key-Distribution-Center'
            - 'Microsoft-Windows-Kerberos-Key-Distribution-Center'
        Level: 2  # Error
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

support.microsoft.com

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation

Other

detection.emerging-threatscve.2022-37966

Rule Metadata

Rule ID

e6f81941-b1cd-4766-87db-9fc156f658ee

Status

test

Level

high

Type

Emerging Threat

Created

Wed Nov 09

Modified

Mon Nov 03

Author

Florian Roth (Nextron Systems)

Path

rules-emerging-threats/2022/Exploits/CVE-2022-37966/win_system_exploit_cve_2022_37966_kdcsvc_rc4_downgrade.yml

Raw Tags

attack.privilege-escalationdetection.emerging-threatscve.2022-37966

View on GitHub