Kerberos Relay

• https://googleprojectzero.blogspot.com/2021/10/windows-exploitation-tricks-relaying.html

• https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html

• https://decoder.cloud/2025/04/24/from-ntlm-relay-to-kerberos-relay-everything-you-need-to-know/

mitm6 + Kerberos DNS Relay + AD CS ESC8

• https://dirkjanm.io/relaying-kerberos-over-dns-with-krbrelayx-and-mitm6/

Tools

KrbRelay

• https://github.com/cube0x0/KrbRelay

• https://gist.github.com/tothi/bf6c59d6de5d0c9710f23dae5750c4b9

• https://icyguider.github.io/2022/05/19/NoFix-LPE-Using-KrbRelay-With-Shadow-Credentials.html

KrbRelayUp

• https://github.com/Dec0ne/KrbRelayUp

• https://www.microsoft.com/security/blog/2022/05/25/detecting-and-preventing-privilege-escalation-attacks-leveraging-kerberos-relaying-krbrelayup/

• https://github.com/BronzeBee/DavRelayUp

• https://github.com/Dec0ne/DavRelayUp

RELAY

Relay authentication to LDAP(S) with automatic machine creation and configure RBCD:

Perform RBCD with UPNs:

SPAWN

Execute a command as NT AUTHORITY\SYSTEM via RBCD abuse:

RemoteKrbRelay

• https://habr.com/ru/articles/848542/

• https://github.com/CICADA8-Research/RemoteKrbRelay

• https://github.com/rtecCyberSec/RemoteKrbRelay/tree/ntlm

• https://github.com/OleFredrik1/remoteKrbRelayx

KrbRelay-SMBServer

• https://www.tiraniddo.dev/2024/04/relaying-kerberos-authentication-from.html

• https://github.com/decoder-it/KrbRelay-SMBServer

• https://www.synacktiv.com/publications/relaying-kerberos-over-smb-using-krbrelayx

• https://www.synacktiv.com/publications/abusing-multicast-poisoning-for-pre-authenticated-kerberos-relay-over-http-with

Stop/start services with Cmd:

Stop/start services with PowerShell and attack: