Security News > 2022 > May > Microsoft shares mitigation for Windows KrbRelayUp LPE attacks
Microsoft has shared guidance to help admins defend their Windows enterprise environments against KrbRelayUp attacks that enable attackers to gain SYSTEM privileges on Windows systems with default configurations.
Attackers can launch this attack using the KrbRelayUp tool developed by security researcher Mor Davidovich as an open-source wrapper for Rubeus, KrbRelay, SCMUACBypass, PowerMad/SharpMad, Whisker, and ADCSPwn privilege escalation tools.
Davidovich released an updated version of KrbRelayUp on Monday that also works when LDAP signing is enforced and will provide attackers with SYSTEM privileges if Extended Protection for Authentication for Active Directory Certificate Services is not enabled.
KrbRelayUp can help compromise Azure virtual machines in hybrid AD environments where domain controllers are synchronized with Azure AD. "Although this attack won't function for Azure Active Directory joined devices, hybrid joined devices with on-premises domain controllers remain vulnerable," said Zeev Rabinovich and Ofir Shlomo of the Microsoft 365 Defender Research Team.
Microsoft has now publicly shared guidance on blocking such attempts and defending corporate networks from attacks that use the KrbRelayUp wrapper.
The Microsoft 365 Defender Research Team provides additional details on how the KrbRelayUp attack works and further info on how to strengthen device configurations here.
News URL
Related news
- Microsoft fixes two Windows zero-days exploited in malware attacks (source)
- Microsoft rolls back decision to stop Windows 11 22H2 preview updates (source)
- CISA warns of Microsoft Streaming bug exploited in malware attacks (source)
- Microsoft: Windows 11 “invites” coming to more Windows 10 Pro PCs (source)
- Hackers steal Windows NTLM authentication hashes in phishing attacks (source)
- Microsoft is killing off the Android apps in Windows 11 feature (source)
- Microsoft says Windows 10 21H2 support is ending in June (source)
- March 2024 Patch Tuesday: Microsoft fixes critical bugs in Windows Hyper-V (source)
- DarkGate Malware Exploited Recently Patched Microsoft Flaw in Zero-Day Attack (source)
- Microsoft again bothers Chrome users with Bing popup ads in Windows (source)