Image: Getty Images/iStockphoto
Microsoft has detailed how Windows customers can defend themselves from automated ‘Kerberos Relay’ attacks that can give an attacker System privileges on a Windows machine.
Microsoft has responded to the April release of KrbRelayUp, a tool that streamlines several earlier public tools to escalate privileges from a low-privileged Windows domain user to a high-privileged domain user by joining unauthorized devices to Active Directory (AD), Microsoft’s on-premise authentication and identity service.
The tools rely on resource-based constrained delegation (RBCD), a legitimate method in Windows that enables an attacker to “impersonate an administrator and eventually run a code as the SYSTEM account of a compromised device”, according to Microsoft.
System is the highest privilege level in Windows environments. The Kerberos authentication protocol is the main framework for on-premises Active Directory (AD), Microsoft’s identity service.
Kerberos is the successor to Microsoft’s NT Lan Manager (NTLM) protocol and was implemented in Windows 2000 and later. Kerberos allows admins to implement Single Sign On (SSO), so that users don’t have to repeatedly input passwords. Kerberos uses a ticket-granting service or key distribution center for managing authentication.
Mor Davidovich, the pen-tester who released