KrbRelayUp local privilege escalation.

 1title: KrbRelayUp local privilege escalation.
 2description: Detecting possible successful exploitation using tools such as KrbRelayUp AD environment 
 3status: experimental
 4date: 2022/04/26
 5author: \@kostastsale
 6references:
 7    - https://github.com/Dec0ne/KrbRelayUp
 8    - https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html
 9    - https://github.com/elastic/detection-rules/blob/fb6ee2c69864ffdfe347bf3b050cb931f53067a6/rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml
10logsource:
11    product: windows
12    service: security
13detection:
14    selection1:
15        EventID: 4624
16        LogonType: '3'
17        AuthenticationPackageName: 'Kerberos'
18        IpAddress: '127.0.0.1'
19        TargetUserSid: 'S-1-5-21-*-500'
20    filter:
21        IpPort: '0'
22    condition: selection1 and not filter
23falsepositives:
24    - Uknown
25level: High
26tags:
27    - attack.privilege_escalation
28    - attack.t1068

References

• GitHub - Dec0ne/KrbRelayUp: KrbRelayUp - a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings).

  

  KrbRelayUp - a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings). - Dec0ne/KrbRelayUp

  
  Read More

• Using Kerberos for Authentication Relay Attacks

  

  Posted by James Forshaw, Project Zero This blog post is a summary of some research I've been doing into relaying Kerberos authentica...

  
  Read More

• detection-rules/rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml at fb6ee2c69864ffdfe347bf3b050cb931f53067a6 · elastic/detection-rules

  

  Contribute to elastic/detection-rules development by creating an account on GitHub.

  
  Read More