关联漏洞
标题:Microsoft Windows Server 代码问题漏洞 (CVE-2022-30216)Description:Microsoft Windows Server是美国微软(Microsoft)公司的一套服务器操作系统。 Microsoft Windows Server Service存在代码问题漏洞。以下产品和版本受到影响:Windows 10 Version 21H1 for x64-based Systems,Windows 10 Version 21H1 for ARM64-based Systems,Windows 10 Version 21H1 for 32-bit Systems,Windows Ser
Description
Zeek detection logic for CVE-2022-30216.
介绍
# CVE-2022-30216
A Zeek package which raises notices for attempts and exploits of CVE-2022-30216, a technique used against Windows Server to force an NTLM authorization to an arbitrary server. An attacker can reuse the NTLM token to generate a client certificate, enabling them to request a Kerberos ticket that accesses the domain controller.
## Installation
`$ zkg install cve-2022-30216`
Use against a pcap you already have:
`$ zeek -Cr scripts/__load__.zeek your.pcap`
## Example Notice
Two notices can be generated from this package:
- `CVE_2022_30216_Detection::ExploitAttempt`, and
- `CVE_2022_30216_Detection::ExploitSuccess`
The first is generated when an attack is attempted, but does not necessarily succeed. The second is fired only when a successful exploit is detected and should be investigated immediately. Below is an example of a successful exploit notice.
```
XXXXXXXXXX.XXXXXX CFLRIC3zaTU1loLGxh 192.168.56.104 53084 192.168.56.102 445 - - - tcp CVE_2022_30216_Detection::ExploitSuccess Successful CVE-2022-30216 exploit: 192.168.56.104 exploited 192.168.56.102 relaying to 192.168.56.105 - 192.168.56.104 192.168.56.102 445 - - Notice::ACTION_LOG (empty) 360XXXXXXXXXX.XXXXXX - - - - -
```
## Installing
This package can be installed with `zkg` using the following commands:
```
$ zkg refresh
$ zkg install cve-2022-30216
```
## Test PCAPs
Our test pcaps were created by exploiting a proof of concept payload on an instance of [DetectionLab](https://www.detectionlab.network), slightly modified to use Windows Server 2022 for the domain controller and WEF machines, instead of the default, Windows Server 2016.
## References
1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-30216
2. https://www.detectionlab.network
文件快照
[4.0K] /data/pocs/233374030ab86dc3b6e14703502031023124f232
├── [ 49] COPYING
├── [1.7K] README.md
├── [4.0K] scripts
│ ├── [ 13] __load__.zeek
│ └── [1.5K] main.zeek
├── [4.0K] testing
│ ├── [4.0K] Baseline
│ │ ├── [4.0K] tests.successful-exploit
│ │ │ └── [1.3K] notice.log
│ │ └── [4.0K] tests.unsuccessful-exploit
│ │ └── [1.0K] notice.log
│ ├── [ 558] btest.cfg
│ ├── [4.0K] Files
│ │ └── [ 192] random.seed
│ ├── [ 28] Makefile
│ ├── [4.0K] Scripts
│ │ ├── [ 383] diff-remove-timestamps
│ │ ├── [1.3K] get-zeek-env
│ │ └── [ 303] README
│ ├── [4.0K] tests
│ │ ├── [ 177] successful-exploit.zeek
│ │ └── [ 222] unsuccessful-exploit.zeek
│ └── [4.0K] Traces
│ ├── [248K] successful.pcap
│ └── [ 72K] unsuccessful.pcap
└── [ 358] zkg.meta
9 directories, 17 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。