Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Advisory 03/05/2022 – Hacking tool disclosed for Privilege Escalation on Windows
Black Arrow Cyber Advisory 03/05/2022 – Hacking tool disclosed for Privilege Escalation on Windows
Executive Summary
A privileged escalation hacking tool has been publicly disclosed, which allows an attacker to use the PowerShell to step through a process leading to local administrator access. Known as “KrbRelayUp” takes advantage of default configuration settings for Windows Domain environments, and the ability for local accounts to access Microsoft PowerShell. This attack requires a low-privilege account to be compromised, and could lead to further privilege escalation including compromising a domain administrator account.
What’s the risk to me or my business?
As the requirements for this attack are credentials to a low privileged account, and default configuration for Windows Active Directory, it is a likely path for an attacker to use once they have compromised an account in order to gain privileged access. This vulnerability affects any environments using either Local Domain Controllers, or a Hybrid between Azure and On-Premises Active Directory.
What can I do?
Contact your Managed Service Provider and request that tools such as “PSExec” and “PowerShell” are blocked for standard users, who would not require access to these tools typically used for administration purposes. Other mitigation options include enforcing “LDAP Signing” within active directory environments, however it is important to test the impact that making these changes may have on a production environment to avoid unexpected outcomes.
Technical Summary
The attack follows the following steps:
1. Compromise/have access to low-privileged credentials linked to a Local Active Directory environment.
2. Create a new machine account and add this to the domain.
3. Obtain the SID for the machine account.
4. Use the KrbRelay software to abuse the attribute “msDS-AllowedToActOnBehalfOfOtherIdentity” of the targeted computer account.
5. Obtain privileged Silver Ticket for the local machine through Rebeus by performing a Resource-based Constrained Delegation attack (RBCD).
6. Use the Silver Ticket to authenticate with local service manager, creating a new service as NT/System. This service now has local administrator access.
Further details can be found here:
GitHub - Dec0ne/KrbRelayUp: KrbRelayUp - a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings). Privilege Escalation using KrbRelay and RBCD · GitHub
Need help understanding your gaps, or just want some advice? Get in touch with us.