Windows enterprise environments vulnerable to KrbRelayUp attacks.

27 May / 2022

Industry News

WHAT’S HAPPENING?


In April 2022, a privilege escalation hacking tool known as KrbRelayUp was publicly disclosed on GitHub by security researcher Mor Davidovich.KrbRelayUp is a wrapper that can streamline the use of some features in the Rubeus, KrbRelay, SCMUACBypass, PowerMad/SharpMad, Whisker, and ADCSPwn attack tools, allowing Threat Actors to escalate their permissions to SYSTEM in Windows domain environments with default settings (where LDAP signing is not enforced).Although this attack won’t function for Azure Active Directory (Azure AD) joined devices, hybrid joined devices with on-premises domain controllers remain vulnerable.

What You Can Do?

Microsoft has shared guidance to help admins defend their Windows enterprise environments against KrbRelayUp attacks that enable attackers to gain SYSTEM privileges on Windows systems with default configurations.

Microsoft recommends that administrators configure LDAP signing and LDAP channel binding. Please refer to the following Microsoft Knowledge Base articles for detailed guidance on how to enable LDAP channel binding and LDAP signing on Active Directory domain controllers:

As an additional measure to make it more difficult for an attacker to leverage the attribute for attacks, organizations should also consider setting the ms-DS-MachineAccountQuota attribute to 0.

Setting the attribute to 0 stops non-admin users from adding new devices to the domain, blocking the most effective method to carry out the attack's first step and forcing attackers to choose more complex methods to acquire a suitable resource. MS-DS-Machine-Account-Quota configuration guidance

The Cythera SOC continues to monitor our managed clients and will respond to any events as per our incident playbooks, and can provide assistance and advice as required. Organisations that have been impacted or require assistance can contact Cythera via email at support@cythera.com.au or via the 1300 CYTHERA hotline: 1300 CYTHERA (1300 298 437).

Resources

You may be interested in

How we’re using Secure Web Gateway to quickly adapt customer’s security

Even post-COVID, a permanent shift to more remote and flexible working seems to be a theme for most organisations. This throws up some challenge…

Read More arrow_forward

Critical Citrix ADC and Gateway Remote Authentication Bypass Vulnerabilities

Critical Citrix ADC and Gateway Remote Authentication Bypass Vulnerabilities CVE: CVE-2022-27510, CVE-2022-27513 and CVE-2022-27516What is Vuln…

Read More arrow_forward

Top cyber-attacks of 2022.

2022 has been a year like no other for Australian businesses experiencing cyber attacks. With high-profile cases such as Optus on the rise, it i…

Read More arrow_forward