Try in Splunk Security Cloud

Description

KrbRelayUp is a tool that allows local privilege escalation from low-priviliged domain user to local system on domain-joined computers.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Authentication, Change
  • Last Updated: 2022-04-28
  • Author: Michael Haag, Mauricio Velazco, Splunk
  • ID: 765790f0-2f8f-4048-8321-fd1928ec2546

Narrative

In October 2021, James Forshaw from Googles Project Zero released a research blog post titled Using Kerberos for Authentication Relay Attacks. This research introduced, for the first time, ways to make Windows authenticate to a different Service Principal Name (SPN) than what would normally be derived from the hostname the client is connecting to. This effectively proved that relaying Kerberos authentication is possible\. In April 2022, security researcher Mor Davidovich released a tool named KrbRelayUp which implements Kerberos relaying as well as other known Kerberos techniques with the goal of escalating privileges from a low-privileged domain user on a domain-joined device and obtain a SYSTEM shell.

Detections

Name Technique Type
Windows Computer Account Created by Computer Account Steal or Forge Kerberos Tickets TTP
Windows Computer Account Requesting Kerberos Ticket Steal or Forge Kerberos Tickets TTP
Windows Computer Account With SPN Steal or Forge Kerberos Tickets TTP
Windows Kerberos Local Successful Logon Steal or Forge Kerberos Tickets TTP
Windows KrbRelayUp Service Creation Windows Service TTP

Reference

source | version: 1