Analytics Story: Local Privilege Escalation With KrbRelayUp

Description

KrbRelayUp is a tool that allows local privilege escalation from low-priviliged domain user to local system on domain-joined computers.

Why it matters

In October 2021, James Forshaw from Googles Project Zero released a research blog post titled Using Kerberos for Authentication Relay Attacks. This research introduced, for the first time, ways to make Windows authenticate to a different Service Principal Name (SPN) than what would normally be derived from the hostname the client is connecting to. This effectively proved that relaying Kerberos authentication is possible\. In April 2022, security researcher Mor Davidovich released a tool named KrbRelayUp which implements Kerberos relaying as well as other known Kerberos techniques with the goal of escalating privileges from a low-privileged domain user on a domain-joined device and obtain a SYSTEM shell.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Windows Computer Account Created by Computer Account Steal or Forge Kerberos Tickets TTP
Windows Computer Account Requesting Kerberos Ticket Steal or Forge Kerberos Tickets TTP
Windows Computer Account With SPN Steal or Forge Kerberos Tickets TTP
Windows Kerberos Local Successful Logon Steal or Forge Kerberos Tickets TTP
Windows KrbRelayUp Service Creation Windows Service TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Windows Event Log Security 4624 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4741 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4768 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log System 7045 Windows icon Windows xmlwineventlog XmlWinEventLog:System

References


Source: GitHub | Version: 1