Microsoft has detailed how Windows customers can defend themselves from automated 'Kerberos Relay' attacks that can give an attacker System privileges on a Windows machine.
Microsoft has responded to the April release of KrbRelayUp, a tool that streamlines several earlier public tools to escalate privileges from a low-privileged Windows domain user to a high-privileged domain user by joining unauthorized devices to Active Directory (AD), Microsoft's on-premise authentication and identity service.
The tools rely on resource-based constrained delegation (RBCD), a legitimate method in Windows that enables an attacker to "impersonate an administrator and eventually run a code as the SYSTEM account of a compromised device", according to Microsoft.
System is the highest privilege level in Windows environments. The Kerberos authentication protocol is the main framework for on-premises Active Directory (AD), Microsoft's identity service.
Kerberos is the successor to Microsoft's NT Lan Manager (NTLM) protocol and was implemented in Windows 2000 and later. Kerberos allows admins to implement Single Sign On (SSO), so that users don't have to repeatedly input passwords. Kerberos uses a ticket-granting service or key distribution center for managing authentication.
Mor Davidovich, the pen-tester who released KrbRelayUp, says his tool exploits a "universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced".
The LDAP protocol is used by AD to query and access directory information. The problem with LDAP is that by default it does not use signing to securely communicate between LDAP clients and domain controllers, making it vulnerable to NTLM and Kerberos credential relaying attacks. Hence, in 2019, Microsoft released guidance to enable LDAP signing, but admins can't patch this issue and only configure LDAP to mitigate it.
Microsoft clarified that KrbRelayUp can't be used in attacks in organizations that purely use Azure Active Directory (AD), the cloud version of its identity service. But customers that employ hybrid identity environments – where on-premise AD domain controllers are synced with Azure AD – are vulnerable.
"If an attacker compromises an Azure virtual machine using a synchronized account, they'll receive SYSTEM privileges on the virtual machine," Microsoft notes.
The RBCD method exploits several legitimate authentication capabilities that have evolved as AD has needed to support users with multiple devices and accounts with delegated access.
For example, an executive can give a subordinate the authority to send and receive emails on their behalf without sharing the exec's password. Originally, only domain admins could do this with msDS-AllowedToDelegateTo, but as organizations expanded and demands on delegation grew, Microsoft introduced "resource-based" delegation.
"In an organization with several file servers that all trust a web server for delegation, an admin would have to change the msDS-AllowedToDelegateTo priority in all of the different file servers to introduce a second web server. With resource-based delegation, the list of trusted computers is held on the receiving end. Thus, in our example, only the newly created server would require a change of settings," Microsoft explains.
KrbRelayUp also relies on the ms-DS-MachineAccountQuota attribute, present in all User AD objects. By default this is set to 10, allowing any user in AD to create up to 10 computer accounts associated with them, so the user can use multiple devices on a network.
"However, if a compromised user doesn't have 10 actual devices associated with their account, an attacker can create an account for a non-existing device that will be an object in Active Directory. This fake computer account isn't associated with a real device but can perform Active Directory authentication requests as if it were."
Microsoft has provided detailed mitigation steps in its blogpost.