How to mitigate Active Directory attacks that use the KrbRelayUp toolset

Those of you with on-premises Active Directory (AD) need to be aware of a new way to abuse Kerberos in your network. KrbRelayUp is a bundle of tools that streamlines the use of some features in Rubeus, KrbRelay, SCMUACBypass, PowerMad/SharpMad, Whisker, and ADCSPwn. Attackers use the toolset to impersonate an administrator via resource-based constrained delegation and execute code on a device’s system account.

Pure Azure AD environments are safe from this attack, but hybrid AD networks with both on-premises AD and Azure AD will be at risk. If an attacker compromises an Azure virtual machine that is synchronized with on-premises active directory, the attacker will gain system privileges on the virtual machine and be able to make more advances inside the network.

Microsoft recommends you take the following actions:

Step 1: Block the attacker from using the first step of the attack sequence

While Microsoft uses the phrase, “organizations should consider” making certain settings, I’d use much stronger wording. I recommend your organization makes the following changes: Set the ms-DS-MachineAccountQuota attribute to “0”. This setting allows non-administrator users that are in the authenticated users group to add up to 10 workstations to the network. In this era of autopilot and other installation methodologies, users should not be adding workstations to the domain.

Instruct your AD administrators to use ASDI Edit MMC snap in (adsiedit.msc) and connect to the Domain Naming Context. Look for the value of “DC=” and your domain. Right-click on “Properties” and look for the value of ms-DS-MachineAccountQuota. You will see it at a value of “10”. Set the value to “0”.

Alternatively, you can set the value with Windows PowerShell. First, use Get-ADObject cmdlet to check the value:

Copyright © 2022 IDG Communications, Inc.

News Credit

%d bloggers like this: