[German]KrbRelayUp attacks allow local privilege escalation in Windows domain environments where LDAP signing is not enforced. The default Active Directory settings are still insecure. However, Microsoft has now explained in a post how administrators can protect systems against KrbRelayUp attacks in Windows domains.
Advertising
I had briefly reported on KrbRelayUp attacks in Windows domains in the German blog post Sicherheits- und Datenschutzmeldungen (28. April 2022). A KrbRelayUp attack allows local privilege escalation in Windows domain environments where LDAP signing is not enforced. On Github, someone had published a wrapper in source code that should simplify these attacks. So administrators should act and enforce LDAP signing.
Microsoft publishes security guide lines
Microsoft has now published a blog post Detecting and preventing privilege escalation attacks leveraging Kerberos relaying (KrbRelayUp) on the topic, showing how systems can protect themselves against KrbRelayUp attacks on domain controllers. I came across the topic via the following tweet.
The background is probably that on April 24, 2022, a hacking tool, KrbRelayUp,
was published on GitHub for privilege escalation by security researcher Mor Davidovich. KrbRelayUp is a wrapper that can streamline the use of some features of the Rubeus, KrbRelay, SCMUACBypass, PowerMad/SharpMad, Whisker and ADCSPwn tools in attacks.
Advertising
Microsoft recommends that its customers update Domain Controllers so that LDAP server signing requests are set to "signing required." This was described in this advisory. This blog describes ,how to enable Extended Protection for Authentication (EPA). The Microsoft blog post describes the attack path and provides guidance on how to mitigate these attacks.
