How MS Exchange on-premises compromises Active Directory and what organizations can do to prevent that.
At SpecterOps, we recommend our customers establish a security boundary around their most critical assets (i.e., Tier Zero) of Active Directory (AD). We help them find and remediate the attack paths that cross this security boundary with BloodHound Enterprise. One of the most common challenges we and our customers face is Microsoft Exchange on-premises (Exchange).
If you compromise Exchange in AD, you are almost guaranteed an attack path to full control over the domain because of the extensive AD permissions Exchange has. It has been like this for many years; Microsoft has reduced many permissions, but the problem remains.
In this blog post, we will explore what permissions Exchange has in AD that an attacker can abuse to compromise the domain; what effect the different Exchange permission model has in terms of compromising AD permissions; and what organizations can do to reduce the permissions such that the compromise of Exchange does not provide an attack path to full control of the domain.
Acknowledgments
A big thank you to the following people for their work which I have used in this blog post:
- Géraud de Drouas for the GitHub repo documenting Exchange AD attacks: Exchange-AD-Privesc
- Shay Ber for describing how DnsAdmins can compromise DCs: Feature, not bug: DNSAdmin to DC compromise in one line
- Dirk-jan Mollema for describing AD property sets: Abusing forgotten permissions on computer objects in Active Directory
- Oliver Lyak for describing the ESC9 and ESC10 abuse techniques: Certipy 4.0: ESC9 & ESC10, BloodHound GUI, New Authenticat
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.This article has been indexed from Security BoulevardRead the original article: