title: CVE-2025-33073 Pattern (Event ID 1644) id: 9a1f8e3b-6c4d-4f2a-8d7c-3b5e9f2a1c7d status: test description: Detecting the exploitation of the CVE-2025-33073 vulnerability in Windows NTLM authentication by checking the DNS name for a specific pattern references: - https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025 author: PT ESC date: 2025/06/20 logsource: product: windows service: eventlog detection: selection: Channel: Directory Service EventID: 1644 Event.EventData.Data|re: (?i)([a-z0-9\\-]{1,50}1uwhrca[a-z0-9+/=]{1,50}) condition: selection falsepositives: - Unknown level: high