KB5021131 – How To Detect RC4 Accounts

Published on 15 Nov 2022

In the Microsoft article about the November 2022 updates KB5021131 for CVE-2022-37966, Microsoft provides a detection rule:

((msDS-SupportedEncryptionTypes & 0x3F) != 0) && ((msDS-SupportedEncryptionTypes & 0x38) == 0)

This rule is not an expression you can user as-is with Get-ADUser or Get-ADObject.

If you want to identify RC4 accounts (both users and computers objects), you can use the following:

Get-ADObject -Properties msDS-SupportedEncryptionTypes |
    Where-Object -FilterScript {
        (($_."msDS-SupportedEncryptionTypes" -band 0x3f) -ne 0) -and
        (($_."msDS-SupportedEncryptionTypes" -band 0x38) -eq 0)
    }

Clap

Comments

Bastien Perez

Freelance Microsoft 365 - Active Directory - Modern Workplace

France

Featured Posts

The ultimate social media tool you need this Black Friday!

I'm now Microsoft MVP Identity and Access!

KB5021131 – How To Detect RC4 Accounts

Comments

Bastien Perez

Featured Posts

I'm now Microsoft MVP Identity and Access!

Je suis désormais Microsoft MVP Identity and Access !

Download Road to Santa Cloud 365 Winter 2023 PDF