Active Members Fi8sVrs Posted January 27, 2019 Active Members Report Share Posted January 27, 2019 (edited) In most organisations using Active Directory and Exchange, Exchange servers have such high privileges that being an Administrator on an Exchange server is enough to escalate to Domain Admin. Recently I came across a blog from the ZDI, in which they detail a way to let Exchange authenticate to attackers using NTLM over HTTP. This can be combined with an NTLM relay attack to escalate from any user with a mailbox to Domain Admin in probably 90% of the organisations I’ve seen that use Exchange. This attack is possible by default and while no patches are available at the point of writing, there are mitigations that can be applied to prevent this privilege escalation. This blog details the attack, some of the more technical details and mitigations, as well as releasing a proof-of-concept tool for this attack which I’ve dubbed “PrivExchange”. Read more s-ar incadra la tutoriale, cautati sursa dupa titlu, ceva cu .io Edit: https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/ Edited January 27, 2019 by OKQL 1 1 Quote Link to comment Share on other sites More sharing options...
