KrbRelayUp is a tool that allows local privilege escalation from low-priviliged domain user to local system on domain-joined computers.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Authentication, Change
- Last Updated: 2022-04-28
- Author: Michael Haag, Mauricio Velazco, Splunk
- ID: 765790f0-2f8f-4048-8321-fd1928ec2546
In October 2021, James Forshaw from Googles Project Zero released a research blog post titled
Using Kerberos for Authentication Relay Attacks. This research introduced, for the first time, ways to make Windows authenticate to a different Service Principal Name (SPN) than what would normally be derived from the hostname the client is connecting to. This effectively proved that relaying Kerberos authentication is possible\. In April 2022, security researcher Mor Davidovich released a tool named KrbRelayUp which implements Kerberos relaying as well as other known Kerberos techniques with the goal of escalating privileges from a low-privileged domain user on a domain-joined device and obtain a SYSTEM shell.
source | version: 1