Abusing Exchange High Privs - CraigDonkin/Infrastructure GitHub Wiki

• Exchange Windows Permissions group
  • WriteDacl access on Domain object in AD
    • Any member of this group can modify the domain privs
      • Perform DCsync operations
      • Synchronise hashed AD passwords

• Look out for users that are members of this Security Group or a group that manages this group
• Created when exchange is installed
• provides access to exchange related activbities
• Members can modify group membership of other exchange security groups
  • Exchange Trusted Subsystem
    • Is a member of Exchange Windows Permissions security group

• Has writeDACL permission on the domain object of the domain where exchange was installed by default
  • Allows an identity to modify permissions on the designated object
  • Can allow priv esc to DA
• Modify the permissions of an entity to add
  • Replicating Directory Changes
  • Replicating Directory Changes All
• With these permissions can request the password hash of domain users
  • Including krbtg

https://github.com/gdedrouas/Exchange-AD-Privesc/blob/master/DomainObject/DomainObject.md

• Invoke-ACLPwn
• Enumerates all ACES of the ACL of the demain
• Finds a chain to obtain writeDACL permissions
• It then adds the user to the necessary group and then adds the ACL to allow directory replication

• Remove dangerous ACLS
• Remove WriteDACL permission for the exchange windows permission group
• Monitor security groups
• Monitor changes to ACL

https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/>