Attack Overview
Goal: Local privilege escalation on TargetComputer
- Start RPC listener
- Coerce COM server to authenticate over Kerberos → obtain service ticket for HOST/TargetComputer
- Relay ticket to LDAP/TargetComputer, then use relevant techniques (RBCD, shadow credentials attack) to modify computer account object and achieve local privilege escalation.
SMB signing
This attack does not work if SMB signing is required (this is enabled but not required by default except for DC, but it became required in Windows Insider builds, e.g., Windows 11 & Server).
Tools
- C2: Cobalt Strike
- Relaying: KrbRelay, KrbRelayUp (can automate everything; not covered here)
- LPE: StandIn, Whisker, Rubeus
Add set tasks_max_size "2097152";
to the top of Malleable C2 profile (KrbRelay is too big).
Use StandIn to create computer account
Run KrbRelay against the target SPN:
The above command will make changes through LDAP to allow the dummy computer (EvilComputer) to RBCD to LDAP. Get a ticket for HOST/TargetComputer through RBCD (e.g. Rubeus.exe asktgt
then Rubeus.exe s4u
).
Use SCMUACBypass to achieve local privilege escalation with this ticket. For RTO lab purposes, this is available through the elevante svc-exe-krb [listener-name]
command (found in C:\Tools\SCMUACBypass
).