Sigma rules · CVE-2022-34782

Home/CVE-2022-34782/Sigma rules

Sigma

Sigma rules for CVE-2022-34782

2 rules · scoped to cve · back to CVE-2022-34782

Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.

◈

Detection rules

2 of 2

direct medium

Cloudflared Tunnels Related DNS Requests

Detects DNS requests to Cloudflared tunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

status test author Nasreddine Bencherchali (Nextron Systems) id a1d9eec5-33b2-4177-8d24-27fe754d0812 license Sigma · DRL-1.1

view Sigma YAML

title: Cloudflared Tunnels Related DNS Requests
id: a1d9eec5-33b2-4177-8d24-27fe754d0812
related:
    - id: 7cd1dcdc-6edf-4896-86dc-d1f19ad64903
      type: similar
status: test
description: |
    Detects DNS requests to Cloudflared tunnels domains.
    Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
references:
    - https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-12-20
tags:
    - attack.command-and-control
    - attack.t1071.001
    - attack.t1572
logsource:
    category: dns_query
    product: windows
detection:
    selection:
        QueryName|endswith:
            - '.v2.argotunnel.com'
            - 'protocol-v2.argotunnel.com'
            - 'trycloudflare.com'
            - 'update.argotunnel.com'
    condition: selection
falsepositives:
    - Legitimate use of cloudflare tunnels will also trigger this.
level: medium

direct medium

Potential AS-REP Roasting via Kerberos TGT Requests

Detects suspicious Kerberos TGT requests with pre-authentication disabled (Pre-Authentication Type = 0) and Ticket Encryption Type (0x17) i.e, RC4-HMAC. This may indicate an AS-REP Roasting attack, where attackers request AS-REP messages for accounts without pre-authentication and attempt to crack the encrypted ticket offline to recover user passwords.

status experimental author ANosir id 3e2f1b2c-4d5e-11ee-be56-0242ac120002 license Sigma · DRL-1.1

view Sigma YAML

title: Potential AS-REP Roasting via Kerberos TGT Requests
id: 3e2f1b2c-4d5e-11ee-be56-0242ac120002
status: experimental
description: |
    Detects suspicious Kerberos TGT requests with pre-authentication disabled (Pre-Authentication Type = 0) and Ticket Encryption Type (0x17) i.e, RC4-HMAC.
    This may indicate an AS-REP Roasting attack, where attackers request AS-REP messages for accounts without pre-authentication and attempt to crack the encrypted ticket offline to recover user passwords.
references:
    - https://medium.com/system-weakness/detecting-as-rep-roasting-attacks-b5b3965f9714
    - https://www.picussecurity.com/resource/blog/as-rep-roasting-attack-explained-mitre-attack-t1558.004
author: ANosir
date: 2025-05-22
modified: 2025-07-04
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4768
        TicketEncryptionType: '0x17'
        ServiceName: 'krbtgt'
        PreAuthType: 0
    condition: selection
falsepositives:
    - Legacy systems or applications that legitimately use RC4 encryption
    - Misconfigured accounts with pre-authentication disabled
level: medium

Showing 1-2 of 2

Prev 1 Next

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin