Analytics Story: Local Privilege Escalation With KrbRelayUp
Description
KrbRelayUp is a tool that allows local privilege escalation from low-priviliged domain user to local system on domain-joined computers.
Why it matters
In October 2021, James Forshaw from Googles Project Zero released a research blog post titled Using Kerberos for Authentication Relay Attacks. This research introduced, for the first time, ways to make Windows authenticate to a different Service Principal Name (SPN) than what would normally be derived from the hostname the client is connecting to. This effectively proved that relaying Kerberos authentication is possible\. In April 2022, security researcher Mor Davidovich released a tool named KrbRelayUp which implements Kerberos relaying as well as other known Kerberos techniques with the goal of escalating privileges from a low-privileged domain user on a domain-joined device and obtain a SYSTEM shell.
Detections
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Windows Event Log Security 4624 |  Windows |
xmlwineventlog |
XmlWinEventLog:Security |
| Windows Event Log Security 4741 | Windows |
xmlwineventlog |
XmlWinEventLog:Security |
| Windows Event Log Security 4768 | Windows |
xmlwineventlog |
XmlWinEventLog:Security |
| Windows Event Log System 7045 | Windows |
xmlwineventlog |
XmlWinEventLog:System |
References
- https://github.com/Dec0ne/KrbRelayUp
- https://gist.github.com/tothi/bf6c59d6de5d0c9710f23dae5750c4b9
- https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html
- https://dirkjanm.io/relaying-kerberos-over-dns-with-krbrelayx-and-mitm6/
- https://github.com/cube0x0/KrbRelay
Source: GitHub | Version: 1