Microsoft has published a guide for protecting Windows corporate environments from KrbRelayUp attacks


Microsoft has published a guide for administrators to protect corporate Windows environments from KrbRelayUp attacks, which allow hackers to get system privileges on Windows with factory settings.

The attacks are carried out using the KrbRelayUp tool developed by security researcher Mor Davidovich as an open source wrapper for the Rubeus, KrbRelay, SCMUACBypass, PowerMad/SharpMad, Whisker and ADCSPwn tools, which allow you to elevate privileges on the system.

Since the end of April 2022, when KrbRelayUp was first launched published on GitHub, hackers can use it in their attacks to elevate privileges in attacked Windows environments with factory settings (that is, with LDAP signature disabled).

This week Davidovich released an updated version of KrbRelayUp, which also works with LDAP signature enabled and provides system privileges if Extended Authentication Protection (EPA) for Active Directory Certificate Services (AD CS) is not enabled.

According to Microsoft, the tool does not work in networks of organizations with Azure Active Directory cloud environments. However, KrbRelayUp can help compromise Azure VMs in hybrid AD environments where domain controllers are synchronized with AD.

On Thursday, May 26, Microsoft published a guide to protect against the above-described attacks using the KrbRelayUp wrapper. However, these measures have been available before, but only for corporate users with a subscription to Microsoft 365 E5.

The company recommends administrators to secure data transfer between LDAP clients and AD domain controllers by enabling LDAP signature for servers and activating EPA.

Organizations should also consider setting 0 as the ms-DS-MachineAccountQuota attribute to make it more difficult to use the attribute in hacker attacks. Using 0 as an attribute will block users without administrator privileges from adding new devices to the domain, and attackers will have to look for more sophisticated ways to get a suitable resource.

The Microsoft 365 Defender Research Team presented details about the KrbRelayUp attack and told how to strengthen the security of device configurations here.

Start a discussion …