Microsoft issues Kerberos Relay attack mitigations

ZDNet reports that Windows domain administrators have been given guidance by Microsoft on better defending their systems against Kerberos Relay attacks, which enable malicious actors to obtain System privileges. Threat actors have been leveraging the resource-based constrained delegation method within the KrbRelayUp tool developed by pen-tester Mor Davidovich to spoof an administrator and allow code execution as the compromised device's System account. Organizations with hybrid identity environments involving syncing between on-premise Azure Active Directory domain controllers and Azure AD are susceptible to Kerberos Relay attacks, but not those that rely on Azure AD alone, according to Microsoft. "In an organization with several file servers that all trust a web server for delegation, an admin would have to change the msDS-AllowedToDelegateTo priority in all of the different file servers to introduce a second web server. With resource-based delegation, the list of trusted computers is held on the receiving end. Thus, in our example, only the newly created server would require a change of settings," said Microsoft.