KrbRelayUp: universal no-fix local privilege escalation

KrbRelayUp

Simple wrapper around some of the features of Rubeus and KrbRelay (and a few other honorable mentions in the acknowledgments section) in order to streamline the abuse of the following attack primitive:

  1. (Optional) New machine account creation (New-MachineAccount)
  2. Local machine account auth coercion (KrbRelay)
  3. Kerberos relay to LDAP (KrbRelay)
  4. Add RBCD privs and obtain privileged ST to the local machine (Rubeus)
  5. Using said ST to authenticate to the local Service Manager and create a new service as NT/SYSTEM. (SCMUACBypass)

This is essentially a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings).

local privilege escalation

Mitigation & Detection

Download