Photo by Andrew Ridley / Unsplash

KB5021131 – How To Detect RC4 Accounts

Nov 15, 2022

In the Microsoft article about the November 2022 updates KB5021131 for CVE-2022-37966, Microsoft provides a detection rule:

((msDS-SupportedEncryptionTypes & 0x3F) != 0) && ((msDS-SupportedEncryptionTypes & 0x38) == 0)

This rule is not an expression you can user as-is with Get-ADUser or Get-ADObject.

If you want to identify RC4 accounts (both users and computers objects), you can use the following:

Get-ADObject -Properties msDS-SupportedEncryptionTypes |
    Where-Object -FilterScript {
        (($_."msDS-SupportedEncryptionTypes" -band 0x3f) -ne 0) -and
        (($_."msDS-SupportedEncryptionTypes" -band 0x38) -eq 0)

Bastien Perez

Freelance Microsoft 365 - Active Directory - Modern Workplace