Written by nathanvermey

KrbRelayUp Mitigations

It seems there has been some confusion in the community about what the mitigations for this exploit are.
See comments in this reddit post: PSA: Enforce LDAP signing if you haven’t already
This post is an effort to clear up the confusion, explain the mitigations and how to apply them properly in one spot.

What is KrbRelayUp?

KrbRelayUp is new exploit released on 25/04/2022 by Mor Davidovich (Dec0ne)
Details on exactly how it works and a working POC for the exploit can be found on github
https://github.com/Dec0ne/KrbRelayUp

This exploit gives local admin priviledges and will work on a default AD install, it does however require a couple of prerequisites:

  • The attacker must have code execution (or be logged onto) a domain joined computer
  • The user account used can be a standard user and does not require any additional permissions

It is important to note that this exploit will work on an AD environment with default settings.
(An exception is windows firewall blocking the exploit, however this cannot be relied on. see comment from author)

MS-DS-Machine-Account-Quota

User accounts in AD by default can create up to 10 new computer accounts. This is not to be confused with domain joining computers which is what most system admins are familiar with.
Additional Information: Who can add computers to the domain?

  • Open “Active Directory Users and Computers”
  • Ensure “Advanced Features” is enabled
  • Open the “properties” for your domain
  • In the “Attribute Editor” change “ms-DS-MachineAccountQuota” to 0

The effect of this setting change is instant and does not require any reboots, this affects the first stage of the exploit which creates a new machine account. The effects of the change can be seen from the error below. However the second stage will still work.

Enable LDAP Signing and LDAP Channel binding

LDAPS and LDAP signing are different and affect security in different ways.

  • LDAPS is LDAP over SSL. LDAPS encrypts traffic and helps to prevent attackers from being able to read traffic while in transit. Enabling LDAPS does not protect from the relay attack used in KrbRelayUp!
  • LDAP signing “signs” traffic with a signature so the receiver can ensure that the original sender of the message can proved and that no changes have been made during transit. This will stop the relay attack using in KrbRelayUp.

An excellent explanation of the differences between Encryption and Signing can be found here
What is the difference between encrypting and signing in asymmetric encryption?

LDAP Channel binding forces clients to use LDAPS. Without this setting using LDAPS is optional for connecting clients, when being targeted by an attacker this is as good as leaving it off.

Instructions to turn on LDAP Signing can be found here:
How to enable LDAP signing in Windows Server

Instructions to enforce Channel binding can be found here:
Use the LdapEnforceChannelBinding registry entry to make LDAP authentication over SSL/TLS more secure

These changed block both the first and second stages of the attack.

Account is sensitive and cannot be delegated

Account delegation allows impersonation of accounts this is a normal part of active directory but can be abused by attackers in certain situations.
More information on Unconstrained delegation can be found here:
https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unconstrained-kerberos

Follow these instructions to set the “Account is sensitive and cannot be delegated” option on an account
This should be set for all admin accounts

  • Open the “Active Directory Users and Computers” window
  • Open the OU containing the Admin user and open up their properties
  • Under the account tab, select the “Account is sensitive and cannot be delegated” option

Enabling this option on all of your Administration accounts will cause the exploit fail again at both stages.
The results can be seen below.

All mitigations or just one?

If you were to choose a single mitigation I would suggest LDAP Signing, however consideration should be given to the other kinds of attacks these settings can allow when left in their default state. Here are some articles to show you some of the possibilities when these settings are left on their default values.

Machine accounts:
MachineAccountQuota is USEFUL Sometimes

LDAP Signing:
Pentest Everything

Account is Sensitive and Cannot be Delegated:
Delegating Like a Boss