STEALTHbits mitigates a new vulnerability that uses Exchange Authentication to gain AD Admin privileges
A new attack has been posted by Dirk-
This attack combines known vulnerabilities in a new way to achieve privilege escalation that can be used to attack AD. Here is how the attack works.
An attacker sends a request to Exchange that causes Exchange to respond with an NTLM authentication request over HTTP (#1).
Exchange responds (#2) and because NTLM is susceptible to relay attacks all the attacker has to do is forward the authentication request to AD (#3). AD thinks the attacker’s machine is Exchange and treats it with all of the associated privileges that Exchange normally has. The attacker can then create new admin accounts or modify privileges (#4) using the Exchange account. With this level of access, the attacker can use popular hacker toolkits like Mimikatz to perform a DCSync attack (#5) which can be used to obtain password hashes for any account in the domain. From there, the attacker can pretty much do anything they want to do.
STEALTHbits cannot prevent the Exchange portion of the attack, but we can mitigate the later stages where the exchange account is used to create shadow accounts and modify existing privileges inside Active Directory.
Here’s how STEALTHbits Can Help
#1 – DC Sync Prevention
StealthAUDIT can see if the default permissions to the Exchange Windows Permission group has rights to the domain object in Active Directory, which would allow the members of this group to perform DC Sync attacks to replicate user passwords from AD. This can give an attacker the immediate ability to get the Kerberos service account (krbtgt) and create golden tickets.
StealthINTERCEPT can monitor and block DC Sync attacks, stopping that attack vector in its tracks.
#2 – Permission Mitigation
The #1 recommended mitigation from the blog is “Remove the unnecessary high privileges that Exchange has on the Domain object”. This is something you can report on with AD Permissions Analyzer and clean up using StealthAUDIT. These permissions are overprovisioned and reducing them mitigates this attack.
If you are a current customer and have these products, you are covered. If not, you can download trial versions of our products to mitigate these attacks.
>>>Download StealthINTERCEPT to prevent DC Sync. Our trial version will let you detect and block these attacks while Microsoft works on a patch.
>>>Download StealthAUDIT AD Permissions Analyzer to analyze excessive permissions.
A Microsoft Advisory has been posted, but a patch is not currently available at this time. Learn more.
Don’t miss a post! Subscribe to ‘The Insider Threat Security’ Blog here:
As the VP of Product Marketing, Darin is responsible for product messaging and positioning as well as generating industry and market awareness for STEALTHbits products. He is an experienced leader who has worked in software for over 21 years.
Prior to joining STEALTHbits, he was VP of Marketing for Quorum and SecureAuth, and has held positions in product management & product marketing at Oracle, and Quest Software.
Related Posts
- SERVER (UN)TRUST ACCOUNT
- Setup, Configuration, and Task Execution with Covenant: The Complete Guide
- Protecting Against DCShadow
- Detecting Persistence through Active Directory Extended Rights
- Resource-Based Constrained Delegation Abuse
- Honey Token Threat Detection with StealthDEFEND
- Domain Persistence with Subauthentication Packages
- What is DCSync? An Introduction
- How to Detect Pass-the-Hash Attacks
- ProTip – Enterprise Password Enforcer Complex Policies
Leave a Reply