Some of these include securing the communications between LDAP clients and AD controllers by enforcing LDAP server signing and also enabling Extended Protection for Authentication (EPA). The Microsoft 365 Defender Research team has also detailed how these attacks work to make system admins learn better.
Mitigating Against KrbRelayUp Attacks
Right after discovering the KrbRelayUp flaw, a security researcher named Mor Davidovich has released a free tool to dig through the vulnerable systems – just making it easy for threat actors to exploit target systems. Davidovich’s tool will let attackers gain SYSTEM privileges on Windows systems with default configurations, which works on not just KrbRelay exploit, but other privilege escalation tools like the SCMUACBypass, PowerMad/SharpMad, Whisker, and ADCSPwn. He later updated the tool to include a system that hasn’t enforced the LDAP signing. Though Microsoft said this tool doesn’t work for organizations with cloud-based Azure Active Directory environments, attackers compromising the Azure virtual machines in hybrid AD environments can be exploited. Thus, Microsoft has now come up with mitigation guidelines, asking the system admins to secure communications between LDAP clients and Active Directory (AD) domain controllers – by enforcing LDAP server signing and enabling Extended Protection for Authentication (EPA). It’s advised to check the detailed explanation provided by Microsoft 365 Defender Research Team, on how the KrbRelayUp attack works and how to safeguard against it.