Security News > 2022 > May > Microsoft shares mitigation for Windows KrbRelayUp LPE attacks
Microsoft has shared guidance to help admins defend their Windows enterprise environments against KrbRelayUp attacks that enable attackers to gain SYSTEM privileges on Windows systems with default configurations.
Attackers can launch this attack using the KrbRelayUp tool developed by security researcher Mor Davidovich as an open-source wrapper for Rubeus, KrbRelay, SCMUACBypass, PowerMad/SharpMad, Whisker, and ADCSPwn privilege escalation tools.
Davidovich released an updated version of KrbRelayUp on Monday that also works when LDAP signing is enforced and will provide attackers with SYSTEM privileges if Extended Protection for Authentication for Active Directory Certificate Services is not enabled.
KrbRelayUp can help compromise Azure virtual machines in hybrid AD environments where domain controllers are synchronized with Azure AD. "Although this attack won't function for Azure Active Directory joined devices, hybrid joined devices with on-premises domain controllers remain vulnerable," said Zeev Rabinovich and Ofir Shlomo of the Microsoft 365 Defender Research Team.
Microsoft has now publicly shared guidance on blocking such attempts and defending corporate networks from attacks that use the KrbRelayUp wrapper.
The Microsoft 365 Defender Research Team provides additional details on how the KrbRelayUp attack works and further info on how to strengthen device configurations here.
News URL
Related news
- Microsoft patches Windows zero-day exploited in attacks on Ukraine (source)
- Microsoft: Windows Recall now can be removed, is more secure (source)
- Recall the Recall recall? Microsoft thinks it can make that Windows feature palatable (source)
- JPCERT shares Windows Event Log tips to detect ransomware attacks (source)
- Microsoft fixes Windows KB5043145 reboot loops, USB and Bluetooth issues (source)
- What Is Inside Microsoft’s Major Windows 11 Update? (source)
- Microsoft warns of Windows 11 24H2 gaming performance issues (source)
- Microsoft blocks Windows 11 24H2 on some Intel PCs over BSOD issues (source)
- Microsoft Office 2024 now available for Windows and macOS users (source)
- DOJ, Microsoft seize 107 domains used in Russia's Star Blizzard phishing attacks (source)