Detect Privilege Escalation in Windows Domain Environments

Cybersecurity researchers have revealed a security hole in the Microsoft’s Windows Active Directory (AD) allowing active users to add machines to the domain even without Admin privileges, which exposes to the machine to risk of privilege escalation attacks. According to the default settings, an AD user can add up to ten workstations to the domain. 

Using the KrbRelayUp tool, a universal no-fix local privilege escalation in Windows Domain environments where LDAP signing is not enforced according to the default settings, an adversary simply needs to run code on a domain-joined host to perform an attack. Security researchers expect this flaw extensively leveraged by ransomware operators to proceed with infections as the exploitation rouitine is rather primitive. 

Privilege Escalation Attack Detection Based on KrbRelayUp Behavior

To detect potential privilege escalation attacks in AD environments, security practitioners can download a curated Sigma-based rule available in the SOC Prime’s platform. Please note that to access the detection content, make sure to sign up or log into the platform:

Possible Local Privilege Escalation via KrbRelayUp Tool (via audit)

This Sigma rule has translations to 18 SIEM & XDR solutions, including Microsoft Sentinel, Humio, Elastic Stack, Chronicle Security, LimaCharlie, ArcSight, QRadar, Splunk, Devo, Graylog, Sumo Logic, LogPoint, Regex Grep, RSA NetWitness, FireEye, Apache Kafka ksqlDB, Securonix, and AWS OpenSearch.

The above-referenced detection is aligned with the MITRE ATT&CK® framework v.10 addressing the Defense Evasion and Credential Access tactics with the corresponding  

Abuse Elevation Control Mechanism (T1548) and Steal or Forge Kerberos Tickets (T1558) techniques.

Possible Computer Takeover Attack (via audit)

This Sigma rule has translations to 18 SIEM & XDR solutions, including Microsoft Sentinel, Humio, Elastic Stack, Chronicle Security, LimaCharlie, ArcSight, QRadar, Splunk, Devo, Graylog, Sumo Logic, LogPoint, Regex Grep, RSA NetWitness, FireEye, Apache Kafka ksqlDB, Securonix, and Microsoft PowerShell.

The above-referenced detection is aligned with the MITRE ATT&CK® framework v.10 addressing the Defense Evasion and Lateral Movement tactics with the corresponding Use Alternate Authentication Material (T1550) and Remote Services (T1021) techniques.

Cybersecurity gurus eager to contribute to collaborative expertise join the forces of the SOC Prime Threat Bounty Program to help the worldwide community strengthen its cyber defense potential. Apply to join the Threat Bounty crowdsourcing initiative to contribute your detection content to SOC Prime’s Detection as Code platform and be able to monetize your input while adding to a safer cyber future.                              

View Detections Join Threat Bounty

Mitigation

The increasing attention to this potentially dangerous security issue again reminds of the risks of the ability of all Authenticated Users to join their devices to a domain. The dangers might be mitigated by changing the default setting and removing Authenticated users from the Default Domain Controllers Policy. Alternativelly, the new secure policy might be introduced to define the “Add workstation to domain” setting. More details on the KrbRelayUp vulnerability mitigation might be found in the most recent research by Mor Davidovich in his latest GitHub input.

A proactive cybersecurity strategy is a viable solution that progressive organizations are striving to implement to strengthen their cyber defense capabilties. Explore SOC Prime’s Detection as Code platform to gain access to curated, context-enriched threat detection content to ensure your organization is one step ahead of attackers.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts