Windows enterprise environments vulnerable to KrbRelayUp attacks.

27 May / 2022

Industry News

WHAT’S HAPPENING?


In April 2022, a privilege escalation hacking tool known as KrbRelayUp was publicly disclosed on GitHub by security researcher Mor Davidovich.KrbRelayUp is a wrapper that can streamline the use of some features in the Rubeus, KrbRelay, SCMUACBypass, PowerMad/SharpMad, Whisker, and ADCSPwn attack tools, allowing Threat Actors to escalate their permissions to SYSTEM in Windows domain environments with default settings (where LDAP signing is not enforced).Although this attack won’t function for Azure Active Directory (Azure AD) joined devices, hybrid joined devices with on-premises domain controllers remain vulnerable.

What You Can Do?

Microsoft has shared guidance to help admins defend their Windows enterprise environments against KrbRelayUp attacks that enable attackers to gain SYSTEM privileges on Windows systems with default configurations.

Microsoft recommends that administrators configure LDAP signing and LDAP channel binding. Please refer to the following Microsoft Knowledge Base articles for detailed guidance on how to enable LDAP channel binding and LDAP signing on Active Directory domain controllers:

As an additional measure to make it more difficult for an attacker to leverage the attribute for attacks, organizations should also consider setting the ms-DS-MachineAccountQuota attribute to 0.

Setting the attribute to 0 stops non-admin users from adding new devices to the domain, blocking the most effective method to carry out the attack's first step and forcing attackers to choose more complex methods to acquire a suitable resource. MS-DS-Machine-Account-Quota configuration guidance

The Cythera SOC continues to monitor our managed clients and will respond to any events as per our incident playbooks, and can provide assistance and advice as required. Organisations that have been impacted or require assistance can contact Cythera via email at support@cythera.com.au or via the 1300 CYTHERA hotline: 1300 CYTHERA (1300 298 437).

Resources

You may be interested in

How to Prevent Ransomware Attacks

How to Prevent Ransomware Attacks Ransomware incidents are becoming prolific in Australia. We’re seeing an increased amount of businesses com…

Read More arrow_forward

The Perfect 10 - Remote Code Execution in Apache Log4j Requiring Emergency Patching

CVE: CVE-2021-44228 CVSS Score: 10 (Critical)What Is Vulnerable?: Apache Log4j Version 2.15-rc1 or prior. (All version prior to 2.15-rc1 are vu…

Read More arrow_forward

What is Malware?

What is Malware? Malware is a broad term that refers to variety of malicious software cyber criminals use including: Worms Once a worm infilt…

Read More arrow_forward