KrbRelay icon indicating copy to clipboard operation
KrbRelay copied to clipboard
verified publisher icon cube0x0

How to find a suitable CSID?

Open CravateRouge opened this issue 4 months ago • 0 comments

I would like to try KrbRelay on a windows server 2022 but the COM class associated to the default CLSID for this attack is not available on it.

I tried finding one with oleviewdotnetv1.6 and adapting what you did with an older version but when I do:

Import-Module .\OleViewDotNet
Get-ComDatabase
Get-ComProcess -DbgHelpPath 'C:\My\Imported\dbghelp.dll' | select ProcessId,ExecutablePath,Name,AppId,User,AuthnLevel,ImpLevel

I only find processes running with my standard user and with AuthnLevel and ImpLevel DEFAULT.

I also tried using CLSID from those outputs:

Get-ComClass -server | Select-ComAccess
Get-ComClass | Select-ComAccess -Level ActivateLocal
Get-ComClass | SelectComAccess

But always get a COM exception.

Could someone help me to clarify what I should look for exactly in order to leverage the KrbRelay? And also why I'm only able to see processes running with my standard user?

CravateRouge avatar Sep 26 '25 11:09 CravateRouge