Advanced Techniques — From Windows

Mon, 01 Jan 0001 00:00:00 +0000

Quick Reference

Technique	Tool	Requirement	Impact
KrbRelayUp (RBCD)	KrbRelayUp + Rubeus	Domain-joined, no LDAP signing	Low-priv → SYSTEM
gMSA password read	GMSAPasswordReader	Authorized principal	Lateral movement
LAPS password read	Get-AdmPwdPassword / PowerView	Read perm on ms-Mcs-AdmPwd	Local admin on target
PPL bypass (mimidrv)	Mimikatz + mimidrv.sys	Local admin	LSASS dump despite PPL
PPL bypass (PPLdump)	PPLdump	Local admin	LSASS dump despite PPL
LSASS dump (comsvcs)	LOLBAS / rundll32	Local admin	Credential extraction
WebDAV coercion trigger	PowerShell	Shell on target	Force HTTP auth for relay
Shadow credentials	Whisker	GenericWrite on account	PKINIT auth, NT hash

KrbRelayUp — Local Privilege Escalation to SYSTEM

What KrbRelayUp Is

KrbRelayUp abuses Resource-Based Constrained Delegation (RBCD) to escalate from a low-privilege domain user with a local shell to NT AUTHORITY\SYSTEM on the same machine. The attack creates a new machine account, configures RBCD on the target machine to trust that new account, then uses S4U2Self + S4U2Proxy to get a Kerberos service ticket impersonating Administrator (or any domain user) for the current machine — then uses that ticket to spawn a SYSTEM process.

Laps on MrAzoth

Advanced Techniques — From Windows

Quick Reference

KrbRelayUp — Local Privilege Escalation to SYSTEM

What KrbRelayUp Is