DavRelayUp: A universal no-fix local privilege escalation in domain-joined windows workstations

DavRelayUp

A quick and dirty port of KrbRelayUp with modifications to allow for NTLM relay from webdav to LDAP in order to streamline the abuse of the following attack primitive:

  1. (Optional) New machine account creation (New-MachineAccount)
  2. Force start the WebClient service
  3. Start webdav relay server (GoRelayServer – a golang DLL that is embedded in DavRelayUp using Costura.Fody)
  4. Local machine account auth coercion (SharpSystemTriggers)
  5. NTLM relay to LDAP
  6. Add RBCD privs and obtain privileged ST to the local machine (Rubeus)
  7. Using said ST to authenticate to the local Service Manager and create a new service as NT/SYSTEM. (SCMUACBypass)

This is essentially a universal no-fix local privilege escalation in domain-joined Windows workstations where LDAP signing is not enforced (the default settings).

Mitigation & Detection

Install & Use

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Leave a Reply