Windows enterprise environments vulnerable to KrbRelayUp attacks.

27 May / 2022

Industry News


In April 2022, a privilege escalation hacking tool known as KrbRelayUp was publicly disclosed on GitHub by security researcher Mor Davidovich.KrbRelayUp is a wrapper that can streamline the use of some features in the Rubeus, KrbRelay, SCMUACBypass, PowerMad/SharpMad, Whisker, and ADCSPwn attack tools, allowing Threat Actors to escalate their permissions to SYSTEM in Windows domain environments with default settings (where LDAP signing is not enforced).Although this attack won’t function for Azure Active Directory (Azure AD) joined devices, hybrid joined devices with on-premises domain controllers remain vulnerable.

What You Can Do?

Microsoft has shared guidance to help admins defend their Windows enterprise environments against KrbRelayUp attacks that enable attackers to gain SYSTEM privileges on Windows systems with default configurations.

Microsoft recommends that administrators configure LDAP signing and LDAP channel binding. Please refer to the following Microsoft Knowledge Base articles for detailed guidance on how to enable LDAP channel binding and LDAP signing on Active Directory domain controllers:

As an additional measure to make it more difficult for an attacker to leverage the attribute for attacks, organizations should also consider setting the ms-DS-MachineAccountQuota attribute to 0.

Setting the attribute to 0 stops non-admin users from adding new devices to the domain, blocking the most effective method to carry out the attack's first step and forcing attackers to choose more complex methods to acquire a suitable resource. MS-DS-Machine-Account-Quota configuration guidance

The Cythera SOC continues to monitor our managed clients and will respond to any events as per our incident playbooks, and can provide assistance and advice as required. Organisations that have been impacted or require assistance can contact Cythera via email at or via the 1300 CYTHERA hotline: 1300 CYTHERA (1300 298 437).


You may be interested in

An Outline of Australia’s Board Director Cyber Liability Policies

Board Members and Directors can avoid harsh penalties by understanding what’s required of them.When the Australian Cyber Security Strategy was…

Read More arrow_forward

Ransomware attacks are on the rise in Australia. Here’s how to prepare for them.

It's a rare occasion these days that you open up the Australian business news and DON’T see anything about a cybersecurity attack. Whisper the…

Read More arrow_forward

Protecting a distributed workforce.

COVID-19 has quickly switched many organisations to full work remote / from home policies, and IT teams are dusting off disaster recovery and bu…

Read More arrow_forward