Microsoft Shares Guidelines To Help Admins Fight KrbRelayUp Attacks

Microsoft has developed a common guide to help administrators effectively protect their Windows enterprise environment from KrbRelayUp attacks.

Administrators are advised to secure communication between LDAP clients and Active Directory (AD) domain controllers by forcing the signature of the LDAP server and enabling Extended Protection for Authentication (EPA).

The Microsoft 365 Defender Research also provides additional details about how the KrbRelayUp attack works and more information about how to improve device configuration.

The KrbRelayUp attack involves exploiting the KrbRelayUp tool, developed by security researcher Mor Davidovich as an open-source wrapper for Rubeus, KrbRelay, SCMUACBypass, PowerMad/SharpMad, Whisker and ADCSPwn privilege escalation tools.

Exploiting the KrbRelayUp tool allows attackers to gain SYSTEM privileges on Windows systems with default configurations.

According to Microsoft, the privilege escalation tool does not work against organizations with cloud-based Azure Active Directory environments. However, KrbRelayUp can help compromise Azure virtual machines in hybrid AD environments where domain controllers are synchronized with Azure AD.

IT World Canada Staff
IT World Canada Staff
The online resource for Canadian Information Technology professionals.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web