Intrusion Prevention

MS.Windows.Kerberos.NTLM.Fallback.Authentication.Bypass

Description

This indicates an attack attempt to exploit a Security Bypass vulnerability in Kerberos authentication module of Microsoft Windows.
The vulnerability is due to Windows falling back to NTLM as the default authentication protocol during a domain account password change when Kerberos fails. A remote man-in-the-middle attacker may be able intercept traffic and alter the cached credentials on the target machine, providing access to the vulnerable machine as the target user.

Affected Products

Microsoft Windows 7
Microsoft Windows 8.1
Microsoft Windows 10
Microsoft Windows RT 8.1
Microsoft Windows Vista
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Microsoft Windows Server 2012 R2

Impact

Security Bypass: Remote attackers can bypass security checks of vulnerable systems.

Recommended Actions

Apply the most recent upgrade or patch from the vendor.
https://technet.microsoft.com/en-us/library/security/MS16-101

CVE References

CVE-2016-3237