Executive Summary

Netwrix Auditor is an application that allows an organisation to monitor their IT infrastructure. A newly discovered vulnerability could allow malicious actors to execute arbitrary code on affected servers which are running the application. This vulnerability can also allow for privilege escalation on the server as the malicious code can be executed with “System” level permissions. This software is currently in use by more than 11,000 organisations across the globe.

What’s the risk to me or my business?

Managed service providers and IT Teams use software to assist in monitoring various elements of IT Infrastructure, including Active Directory. If Netwrix Auditor is currently being used by your organisation, then this vulnerability could potentially be exploited to execute code remotely, allowing them to run malicious software to further compromise affected devices.

What can I do?

An update, version 10.5, has been released by Netwrix Auditor to address the issue, this should be applied to all current deployments of the software tool. This specific vulnerability is accessed using an exposed network port, appropriately configured external perimeter controls could be used to mitigate the risk, however the vulnerability could still be used if an attacker manages to gain access to the organisations network.

Technical Summary

This specific vulnerability relates to an unsecured .NET remoting service which can be accessed via TCP port 9004 on the server which Netwrix Auditor is installed. While this vulnerability is yet to be given an official CVE, Bishop Fox, the firm which published details on the vulnerability has rated this as Critical, since it can be executed remotely and can lead to escalation of privileges and code execution.

Further information on this particular vulnerability is available here: Netwrix Auditor Bug Threatens Active Directory Domain - Blumira

Need help understanding your gaps, or just want some advice? Get in touch with us.

Executive Summary

A privileged escalation hacking tool has been publicly disclosed, which allows an attacker to use the PowerShell to step through a process leading to local administrator access. Known as “KrbRelayUp” takes advantage of default configuration settings for Windows Domain environments, and the ability for local accounts to access Microsoft PowerShell. This attack requires a low-privilege account to be compromised, and could lead to further privilege escalation including compromising a domain administrator account.

What’s the risk to me or my business?

As the requirements for this attack are credentials to a low privileged account, and default configuration for Windows Active Directory, it is a likely path for an attacker to use once they have compromised an account in order to gain privileged access. This vulnerability affects any environments using either Local Domain Controllers, or a Hybrid between Azure and On-Premises Active Directory.

What can I do?

Contact your Managed Service Provider and request that tools such as “PSExec” and “PowerShell” are blocked for standard users, who would not require access to these tools typically used for administration purposes. Other mitigation options include enforcing “LDAP Signing” within active directory environments, however it is important to test the impact that making these changes may have on a production environment to avoid unexpected outcomes.

Technical Summary

The attack follows the following steps:

1.       Compromise/have access to low-privileged credentials linked to a Local Active Directory environment.

2.       Create a new machine account and add this to the domain.

3.       Obtain the SID for the machine account.

4.       Use the KrbRelay software to abuse the attribute “msDS-AllowedToActOnBehalfOfOtherIdentity” of the targeted computer account.

5.       Obtain privileged Silver Ticket for the local machine through Rebeus by performing a Resource-based Constrained Delegation attack (RBCD).

6.       Use the Silver Ticket to authenticate with local service manager, creating a new service as NT/System. This service now has local administrator access.

Further details can be found here:

GitHub - Dec0ne/KrbRelayUp: KrbRelayUp - a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings). Privilege Escalation using KrbRelay and RBCD · GitHub

Need help understanding your gaps, or just want some advice? Get in touch with us.