Abusing Exchange: One API call away from Domain Admin

In most organisations using Active Directory and Exchange, Exchange servers have such high privileges that being an Administrator on an Exchange server is enough to escalate to Domain Admin. Recently I came across a blog from the ZDI, in which they detail a way to let Exchange authenticate to attackers using NTLM over HTTP. This can be combined with an NTLM relay attack to escalate from any user with a mailbox to Domain Admin in probably 90% of the organisations I’ve seen that use Exchange. This attack is possible by default and while no patches are available at the point of writing, there are mitigations that can be applied to prevent this privilege escalation. This blog details the attack, some of the more technical details and mitigations, as well as releasing a proof-of-concept tool for this attack which I’ve dubbed “PrivExchange”.

Door |2024-08-26T15:01:42+00:00februari 7, 2019|Article, Artikel, Engels, Nederlands|Reacties uitgeschakeld voor Abusing Exchange: One API call away from Domain Admin

Important: By reading this article you accept the conclusions ☁ + sourcing – cl / d = t

Lately I have been looking a lot into the risks and security aspects of cloud service. And to be honest, from a security perspective, cloud is not that new. Most of the risks associated with cloud services are actually exactly the same as those related to outsourcing, a subject I’m obviously quite familiar with. In that respect, the Free Software Foundation Europe is quite right.

Yet, saying that Cloud is just the same as outsourcing would not do justice to what is currently going on. There are really a few differences that set aside modern day cloud computing from classic outsourcing.

Door |2024-08-26T15:09:37+00:00augustus 17, 2017|Article, Artikel, Engels, Nederlands|Reacties uitgeschakeld voor Important: By reading this article you accept the conclusions ☁ + sourcing – cl / d = t
Ga naar de bovenkant