Windows enterprise environments vulnerable to KrbRelayUp attacks.

27 May / 2022

Industry News

WHAT’S HAPPENING?


In April 2022, a privilege escalation hacking tool known as KrbRelayUp was publicly disclosed on GitHub by security researcher Mor Davidovich.KrbRelayUp is a wrapper that can streamline the use of some features in the Rubeus, KrbRelay, SCMUACBypass, PowerMad/SharpMad, Whisker, and ADCSPwn attack tools, allowing Threat Actors to escalate their permissions to SYSTEM in Windows domain environments with default settings (where LDAP signing is not enforced).Although this attack won’t function for Azure Active Directory (Azure AD) joined devices, hybrid joined devices with on-premises domain controllers remain vulnerable.

What You Can Do?

Microsoft has shared guidance to help admins defend their Windows enterprise environments against KrbRelayUp attacks that enable attackers to gain SYSTEM privileges on Windows systems with default configurations.

Microsoft recommends that administrators configure LDAP signing and LDAP channel binding. Please refer to the following Microsoft Knowledge Base articles for detailed guidance on how to enable LDAP channel binding and LDAP signing on Active Directory domain controllers:

As an additional measure to make it more difficult for an attacker to leverage the attribute for attacks, organizations should also consider setting the ms-DS-MachineAccountQuota attribute to 0.

Setting the attribute to 0 stops non-admin users from adding new devices to the domain, blocking the most effective method to carry out the attack's first step and forcing attackers to choose more complex methods to acquire a suitable resource. MS-DS-Machine-Account-Quota configuration guidance

The Cythera SOC continues to monitor our managed clients and will respond to any events as per our incident playbooks, and can provide assistance and advice as required. Organisations that have been impacted or require assistance can contact Cythera via email at support@cythera.com.au or via the 1300 CYTHERA hotline: 1300 CYTHERA (1300 298 437).

Resources

You may be interested in

Cythera and Druva: A Strategic Alliance for Essential Eight Compliance and Beyond

For Australian companies navigating the complexities of cyber resilience, having a dependable backup solution is not just a nice-to-have, it's a…

Read More arrow_forward

Upcoming ISO 27001 Audit? 5 Ways to Nail It.

Undergoing an ISO 27001 audit can be a stressful time, not only do you have your day-to-day role to manage, but you also need to spend months in…

Read More arrow_forward

3 Ways To Check If Your Corporate Identity Is Being Impersonated Online

A guide to taking the first step towards protecting your brand from online impersonationCybersecurity attacks cost businesses financially, opera…

Read More arrow_forward