Microsoft has shared guidance to help admins defend their Windows enterprise environments against KrbRelayUp attacks that enable attackers to gain SYSTEM privileges on Windows systems with default configurations.
Attackers can launch this attack using the KrbRelayUp tool developed by security researcher Mor Davidovich as an open-source wrapper for Rubeus, KrbRelay, SCMUACBypass, PowerMad/SharpMad, Whisker, and ADCSPwn privilege escalation tools.
Since late April 2022, when the tool was first shared on GitHub, threat actors could escalate their permissions to SYSTEM in Windows domain environments with default settings (where LDAP signing is not enforced).
Davidovich released an updated version of KrbRelayUp on Monday that also works when LDAP signing is enforced and will provide attackers with SYSTEM privileges if Extended Protection for Authentication (EPA) for Active Directory Certificate Services (AD CS) is not enabled.