Security News > 2022 > May > Microsoft shares mitigation for Windows KrbRelayUp LPE attacks

Microsoft shares mitigation for Windows KrbRelayUp LPE attacks
2022-05-26 15:46

Microsoft has shared guidance to help admins defend their Windows enterprise environments against KrbRelayUp attacks that enable attackers to gain SYSTEM privileges on Windows systems with default configurations.

Attackers can launch this attack using the KrbRelayUp tool developed by security researcher Mor Davidovich as an open-source wrapper for Rubeus, KrbRelay, SCMUACBypass, PowerMad/SharpMad, Whisker, and ADCSPwn privilege escalation tools.

Davidovich released an updated version of KrbRelayUp on Monday that also works when LDAP signing is enforced and will provide attackers with SYSTEM privileges if Extended Protection for Authentication for Active Directory Certificate Services is not enabled.

KrbRelayUp can help compromise Azure virtual machines in hybrid AD environments where domain controllers are synchronized with Azure AD. "Although this attack won't function for Azure Active Directory joined devices, hybrid joined devices with on-premises domain controllers remain vulnerable," said Zeev Rabinovich and Ofir Shlomo of the Microsoft 365 Defender Research Team.

Microsoft has now publicly shared guidance on blocking such attempts and defending corporate networks from attacks that use the KrbRelayUp wrapper.

The Microsoft 365 Defender Research Team provides additional details on how the KrbRelayUp attack works and further info on how to strengthen device configurations here.

News URL

Related vendor

Microsoft 584 1010 4882 2323 4207 12422