WHAT’S HAPPENING?
In April 2022, a privilege escalation hacking tool known as KrbRelayUp was publicly disclosed on GitHub by security researcher Mor Davidovich.KrbRelayUp is a wrapper that can streamline the use of some features in the Rubeus, KrbRelay, SCMUACBypass, PowerMad/SharpMad, Whisker, and ADCSPwn attack tools, allowing Threat Actors to escalate their permissions to SYSTEM in Windows domain environments with default settings (where LDAP signing is not enforced).Although this attack won’t function for Azure Active Directory (Azure AD) joined devices, hybrid joined devices with on-premises domain controllers remain vulnerable.
What You Can Do?
Microsoft has shared guidance to help admins defend their Windows enterprise environments against KrbRelayUp attacks that enable attackers to gain SYSTEM privileges on Windows systems with default configurations.
Microsoft recommends that administrators configure LDAP signing and LDAP channel binding. Please refer to the following Microsoft Knowledge Base articles for detailed guidance on how to enable LDAP channel binding and LDAP signing on Active Directory domain controllers:
As an additional measure to make it more difficult for an attacker to leverage the attribute for attacks, organizations should also consider setting the ms-DS-MachineAccountQuota attribute to 0.
Setting the attribute to 0 stops non-admin users from adding new devices to the domain, blocking the most effective method to carry out the attack's first step and forcing attackers to choose more complex methods to acquire a suitable resource. MS-DS-Machine-Account-Quota configuration guidance
The Cythera SOC continues to monitor our managed clients and will respond to any events as per our incident playbooks, and can provide assistance and advice as required. Organisations that have been impacted or require assistance can contact Cythera via email at support@cythera.com.au or via the 1300 CYTHERA hotline: 1300 CYTHERA (1300 298 437).
