The attack, which lets any user become a Domain Admin, was discovered by researcher Dirk-jan Mollema and uses known vulns to achieve privilege escalation and attack Active Directory through a few steps:
- An attacker sends a request to Exchange that causes Exchange to respond with an NTLM authentication request over HTTP;
- Exchange responds, and because NTLM is susceptible to relay attacks, all the attacker has to do is forward the authentication request to Active Directory.
- AD thinks the attacker’s machine is Exchange and treats it with privileges accordingly. The attacker can then create new admin accounts or modify privilege, and hacker toolkits like Mimikatz to perform a DCSync attack and obtain password hashes for any account in the domain. From there, the attacker can pretty much do anything they want to do.
“Attackers have figured out a way to trick Microsoft Exchange into sending its login information,” said Darin Pendergraft, VP of Product Marketing with STEALTHbits Technologies.
“If an attacker sends a specific type of command, the Exchange server responds with its login. The attacker records and then forwards that login to the Active Directory system. Active Directory then thinks the attacker is the Exchange server, which has a lot of powerful privileges on the system. Now logged in as the Exchange server, the attacker can request password information from Active Directory and take over other accounts to steal or encrypt data.”
STEALTHbits says that its mitigation capabilities let organizations detect and block unusual login activity, monitor for the creation of new admin accounts, and stop an attacker from requesting password information from Active Directory.
To prevent DC sync, StealthAUDIT checks whether the default permissions to the Exchange Windows Permission group has rights to the domain object in Active Directory, which would allow the members of this group to perform DC Sync attacks to replicate user passwords from AD. (This can give an attacker the immediate ability to get the Kerberos service account (krbtgt) and create golden tickets.)
StealthINTERCEPT can monitor and block DC Sync attacks, thwarting the attack vector.
Permission mitigation: The #1 recommended mitigation from the blog is “Remove the unnecessary high privileges that Exchange has on the Domain object.” This can be checked with AD Permissions Analyzer and cleaned up with StealthAUDIT. These permissions are over-provisioned, and reducing them mitigates the attack.
To register and request a free 30-day trial, go to: STEALTHbits mitigates a new vulnerability that uses Exchange Authentication to gain AD Admin privileges