{"id":24655,"date":"2022-05-26T01:41:12","date_gmt":"2022-05-25T23:41:12","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=24655"},"modified":"2022-05-26T01:41:12","modified_gmt":"2022-05-25T23:41:12","slug":"microsoft-gibt-hinweise-zum-schutz-vor-krbrelayup-angriffen-in-windows-domains","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2022\/05\/26\/microsoft-gibt-hinweise-zum-schutz-vor-krbrelayup-angriffen-in-windows-domains\/","title":{"rendered":"Microsoft provides guidance on protecting against KrbRelayUp attacks in Windows domains"},"content":{"rendered":"<p><img decoding=\"async\" title=\"Windows\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" alt=\"Windows\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2021\/04\/Windows-klein.jpg\" width=\"200\" align=\"left\">[<a href=\"https:\/\/www.borncity.com\/blog\/2022\/05\/26\/microsoft-gibt-hinweise-zum-schutz-vor-krbrelayup-angriffen-in-windows-domains\/\" target=\"_blank\" rel=\"noopener\">German<\/a>]KrbRelayUp attacks allow local privilege escalation in Windows domain environments where LDAP signing is not enforced. The default Active Directory settings are still insecure. However, Microsoft has now explained in a post how administrators can protect systems against KrbRelayUp attacks in Windows domains.<\/p>\n<p><!--more--><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" alt=\"\" src=\"https:\/\/vg07.met.vgwort.de\/na\/fc43a68c195e46c2924fce7aadd4939a\" width=\"1\" height=\"1\">I had briefly reported on KrbRelayUp attacks in Windows domains in the German blog post <a href=\"https:\/\/www.borncity.com\/blog\/2022\/04\/28\/sicherheits-und-datenschutzmeldungen-28-april-2022\/\" target=\"_blank\" rel=\"noopener\">Sicherheits- und Datenschutzmeldungen (28. April 2022)<\/a>. A KrbRelayUp attack allows local privilege escalation in Windows domain environments where LDAP signing is not enforced. On <a href=\"https:\/\/github.com\/Dec0ne\/KrbRelayUp\" target=\"_blank\" rel=\"noopener\">Github<\/a>, someone had published a wrapper in source code that should simplify these attacks. So administrators should act and enforce LDAP signing. <\/p>\n<h2>Microsoft publishes security guide lines<\/h2>\n<p>Microsoft has now published a blog post <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2022\/05\/25\/detecting-and-preventing-privilege-escalation-attacks-leveraging-kerberos-relaying-krbrelayup\/\" target=\"_blank\" rel=\"noopener\">Detecting and preventing privilege escalation attacks leveraging Kerberos relaying (KrbRelayUp)<\/a> on the topic, showing how systems can protect themselves against KrbRelayUp attacks on domain controllers. I came across the topic via the following <a href=\"https:\/\/twitter.com\/wdormann\/status\/1529573645449940992\" target=\"_blank\" rel=\"noopener\">tweet<\/a>.<\/p>\n<p><a href=\"https:\/\/twitter.com\/wdormann\/status\/1529573645449940992\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" src=\"https:\/\/i.imgur.com\/e8sTF8N.png\"><\/a><\/p>\n<p>The background is probably that on April 24, 2022, a hacking tool, <a href=\"https:\/\/github.com\/Dec0ne\/KrbRelayUp\" target=\"_blank\" rel=\"noopener\">KrbRelayUp<\/a>, <\/p>\n<p>was published on GitHub for privilege escalation by security researcher Mor Davidovich. KrbRelayUp is a wrapper that can streamline the use of some features of the Rubeus, KrbRelay, SCMUACBypass, PowerMad\/SharpMad, Whisker and ADCSPwn tools in attacks.<\/p>\n<p>Microsoft recommends that its customers update Domain Controllers so that LDAP server signing requests are set to \"signing required.\" This was described in <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/ADV190023\" target=\"_blank\" rel=\"noopener\">this advisory<\/a>. <a href=\"https:\/\/msrc-blog.microsoft.com\/2009\/12\/08\/extended-protection-for-authentication\/\" target=\"_blank\" rel=\"noopener\">This blog describes<\/a> ,how to enable Extended Protection for Authentication (EPA). The Microsoft blog post describes the attack path and provides guidance on how to mitigate these attacks. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]KrbRelayUp attacks allow local privilege escalation in Windows domain environments where LDAP signing is not enforced. The default Active Directory settings are still insecure. However, Microsoft has now explained in a post how administrators can protect systems against KrbRelayUp attacks &hellip; <a href=\"https:\/\/borncity.com\/win\/2022\/05\/26\/microsoft-gibt-hinweise-zum-schutz-vor-krbrelayup-angriffen-in-windows-domains\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,2],"tags":[69,159],"class_list":["post-24655","post","type-post","status-publish","format-standard","hentry","category-security","category-windows","tag-security","tag-windows-server"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/24655","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=24655"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/24655\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=24655"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=24655"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=24655"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}