KrbRelayUp – Leveraging Privilege Escalation in Windows
A privilege escalation hacking tool, KrbRelayUp, was publicly disclosed on GitHub by security researcher Mor Davidovich last month. This tool is a wrapper that can streamline the use of some features in Rubeus, KrbRelay, SCMUACBypass, Powermad/SharpMad, Whisker, and ADCSPwn tools in attacks.
Microsoft has responded to the KrbRelayUp release yesterday, in a blog. A tool that streamlines several earlier public tools to escalate privileges from a low-privileged Windows domain user to a high-privileged domain user by joining unauthorized devices to Active Directory (AD), Microsoft’s on-premises authentication and identity service.
According to Microsoft, these tools rely on resource-based constrained delegation (RBCD), a legitimate method in Windows that enables an attacker to “impersonate an administrator and eventually run a code as the SYSTEM account of a compromised device”. System-level privilege is the highest level in Windows environments. The Kerberos authentication protocol is the main framework for on-premises Active Directory (AD), Microsoft’s identity service.
Kerberos is the successor to Microsoft’s NTLM protocol and was implemented in Windows 2000 and later. Kerberos allows admins to implement Single Sign-On (SSO). Kerberos uses a ticket-granting service or key distribution center for managing authentication.
The LDAP is used by AD to query and access directory information. By default, LDAP does not use signing to securely communicate between LDAP clients and domain controllers, making it vulnerable to NTLM and Kerberos credential relaying attacks. Hence, in 2019, Microsoft released guidance to enable LDAP signing, but admins can’t patch this issue and only configure LDAP to mitigate it.
Microsoft also clarified that KrbRelayUp can’t be used in attacks in organizations that purely use Azure Active Directory (AD), the cloud version of its identity service. For customers who employed hybrid identity environments – where on-premises AD domain controllers are synced with Azure AD, there existed a possible vulnerability, because if any of Azure virtual machines were compromised using an account that is already synchronized – system-level privileges are achieved.
The RBCD method exploits several legitimate authentication capabilities that have evolved as AD has needed to support users with multiple devices and accounts with delegated access.
KrbRelayUp also relies on the ms-DS-MachineAccountQuota attribute, present in all User AD objects. By default, this is set to 10, allowing any user in AD to create up to 10 computer accounts associated with them, so the user can use multiple devices on a network.
“However, if a compromised user doesn’t have 10 actual devices associated with their account, an attacker can create an account for a non-existing device that will be an object in Active Directory. This fake computer account isn’t associated with a real device but can perform Active Directory authentication requests as if it were.”
KrbRelayUp attack process
- Acquisition of a suitable resource
- Modification of the msDS-AllowedToActOnBehalfOfOtherIdentity attribute
- Privileged ticket acquisition
- Privileged ticket leverage
Microsoft Defender for endpoint and Microsoft defender for identity will be able to protect from these attacks.
For detailed information, refer to the Microsoft report