KrbRelayUp - a universal no-fix local privilege escalation in windows domain
Simple wrapper around some of the features of Rubeus and KrbRelay (and a few other honorable mentions in the acknowledgements section) in order to streamline the abuse of the following attack primitive:
- (Optional) New machine account creation (New-MachineAccount)
- Local machine account auth coercion (KrbRelay)
- Kerberos relay to LDAP (KrbRelay)
- Add RBCD privs and obtain privileged ST to local machine (Rubeus)
- Using said ST to authenticate to local Service Manager and create a new service as NT/SYSTEM. (SCMUACBypass)
This is essentially a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings). KrbRelayUp - a universal no-fix local privilege escalation