May 30, 2022
Microsoft has developed a common guide to help administrators effectively protect their Windows enterprise environment from KrbRelayUp attacks.
Administrators are advised to secure communication between LDAP clients and Active Directory (AD) domain controllers by forcing the signature of the LDAP server and enabling Extended Protection for Authentication (EPA).
The Microsoft 365 Defender Research also provides additional details about how the KrbRelayUp attack works and more information about how to improve device configuration.
The KrbRelayUp attack involves exploiting the KrbRelayUp tool, developed by security researcher Mor Davidovich as an open-source wrapper for Rubeus, KrbRelay, SCMUACBypass, PowerMad/SharpMad, Whisker and ADCSPwn privilege escalation tools.
Exploiting the KrbRelayUp tool allows attackers to gain SYSTEM privileges on Windows systems with default configurations.
According to Microsoft, the privilege escalation tool does not work against organizations with cloud-based Azure Active Directory environments. However, KrbRelayUp can help compromise Azure virtual machines in hybrid AD environments where domain controllers are synchronized with Azure AD.
The sources for this piece include an article in BleepingComputer.
