Observing that Windows enterprise systems are vulnerable to KrbRelayUp attacks, Microsoft released public mitigation guidelines for all the businesses out there.
Some of these include securing the communications between LDAP clients and AD controllers by enforcing LDAP server signing and also enabling Extended Protection for Authentication (EPA). The Microsoft 365 Defender Research team has also detailed how these attacks work to make system admins learn better.
Mitigating Against KrbRelayUp Attacks
Right after discovering the KrbRelayUp flaw, a security researcher named Mor Davidovich has released a free tool to dig through the vulnerable systems – just making it easy for threat actors to exploit target systems.
Davidovich’s tool will let attackers gain SYSTEM privileges on Windows systems with default configurations, which works on not just KrbRelay exploit, but other privilege escalation tools like the SCMUACBypass, PowerMad/SharpMad, Whisker, and ADCSPwn.
He later updated the tool to include a system that hasn’t enforced the LDAP signing. Though Microsoft said this tool doesn’t work for organizations with cloud-based Azure Active Directory environments, attackers compromising the Azure virtual machines in hybrid AD environments can be exploited.
Thus, Microsoft has now come up with mitigation guidelines, asking the system admins to secure communications between LDAP clients and Active Directory (AD) domain controllers – by enforcing LDAP server signing and enabling Extended Protection for Authentication (EPA).
Organizations should also consider setting the ms-DS-MachineAccountQuota attribute to 0 to make it more difficult for an attacker to leverage the attribute for attacks. Setting the attribute to 0 stops non-admin users from adding new devices to the domain, blocking the most effective method to carry out the attack’s first step and forcing attackers to choose more complex methods to acquire a suitable resource.
It’s advised to check the detailed explanation provided by Microsoft 365 Defender Research Team, on how the KrbRelayUp attack works and how to safeguard against it.
