Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-30216 PoC — Windows Server Service Tampering Vulnerability

Source
https://github.com/corelight/CVE-2022-30216
Associated Vulnerability
Title:Windows Server Service Tampering Vulnerability (CVE-2022-30216)
Description:Windows Server Service Tampering Vulnerability
Description
Zeek detection logic for CVE-2022-30216.
Readme
# CVE-2022-30216
A Zeek package which raises notices for attempts and exploits of CVE-2022-30216, a technique used against Windows Server to force an NTLM authorization to an arbitrary server. An attacker can reuse the NTLM token to generate a client certificate, enabling them to request a Kerberos ticket that accesses the domain controller.
  
  
## Installation

`$ zkg install cve-2022-30216`

Use against a pcap you already have:

`$ zeek -Cr scripts/__load__.zeek your.pcap`


## Example Notice

Two notices can be generated from this package:
  - `CVE_2022_30216_Detection::ExploitAttempt`, and
  - `CVE_2022_30216_Detection::ExploitSuccess`

The first is generated when an attack is attempted, but does not necessarily succeed. The second is fired only when a successful exploit is detected and should be investigated immediately. Below is an example of a successful exploit notice.
```
XXXXXXXXXX.XXXXXX	CFLRIC3zaTU1loLGxh	192.168.56.104	53084	192.168.56.102	445	-	-	-	tcp	CVE_2022_30216_Detection::ExploitSuccess	Successful CVE-2022-30216 exploit: 192.168.56.104 exploited 192.168.56.102 relaying to 192.168.56.105	-	192.168.56.104	192.168.56.102	445	-	-	Notice::ACTION_LOG	(empty)	360XXXXXXXXXX.XXXXXX	-	-	-	-	-
```

## Installing

This package can be installed with `zkg` using the following commands:

```
$ zkg refresh
$ zkg install cve-2022-30216
```

## Test PCAPs
Our test pcaps were created by exploiting a proof of concept payload on an instance of [DetectionLab](https://www.detectionlab.network), slightly modified to use Windows Server 2022 for the domain controller and WEF machines, instead of the default, Windows Server 2016.

## References

1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-30216
2. https://www.detectionlab.network
File Snapshot

 [4.0K]  /data/pocs/233374030ab86dc3b6e14703502031023124f232
├── [  49]  COPYING
├── [1.7K]  README.md
├── [4.0K]  scripts
│   ├── [  13]  __load__.zeek
│   └── [1.5K]  main.zeek
├── [4.0K]  testing
│   ├── [4.0K]  Baseline
│   │   ├── [4.0K]  tests.successful-exploit
│   │   │   └── [1.3K]  notice.log
│   │   └── [4.0K]  tests.unsuccessful-exploit
│   │       └── [1.0K]  notice.log
│   ├── [ 558]  btest.cfg
│   ├── [4.0K]  Files
│   │   └── [ 192]  random.seed
│   ├── [  28]  Makefile
│   ├── [4.0K]  Scripts
│   │   ├── [ 383]  diff-remove-timestamps
│   │   ├── [1.3K]  get-zeek-env
│   │   └── [ 303]  README
│   ├── [4.0K]  tests
│   │   ├── [ 177]  successful-exploit.zeek
│   │   └── [ 222]  unsuccessful-exploit.zeek
│   └── [4.0K]  Traces
│       ├── [248K]  successful.pcap
│       └── [ 72K]  unsuccessful.pcap
└── [ 358]  zkg.meta

9 directories, 17 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →