Exchange Vulnerability: How to Detect Domain Admin Privilege Escalation

Researchers recently uncovered a vulnerability in Exchange that allows any domain user to obtain Domain admin privileges that allow them to compromise AD and connected hosts. Here’s how the attack...
1 min read
Last updated October 14, 2022

Researchers recently uncovered a vulnerability in Exchange that allows any domain user to obtain Domain admin privileges that allow them to compromise AD and connected hosts.

Here’s how the attack works:

  • Attacker uses a compromised mail-enabled domain user to subscribe to the exchange push notification feature
  • Attacker uses an NTLM relay to impersonate the exchange server:
  • The Exchange server authenticates to the compromised user’s host using NTLM over HTTP, which the attacker users to authenticate to the domain controller via LDAP with the exchange account’s credentials
  • Attacker then uses the exchange account’s permissions to change permissions on the domain object*

The attacker can then run a DCSync to get hashed passwords of all domain users – which enables them to execute different types of attacks – from golden ticket attacks to pass the hash.

Our research team has investigated and built a guide for our customers to detect this type of attack – and to see if they’ve been compromised already.

Here’s what you need to know.

*This last step could also be by a rogue admin, who has legitimate access to make that permission change: by creating a rule to detect on that activity, you’ll be covered either way.

How to detect domain privilege escalation

In DatAlert, create a custom rule to monitor specific permission changes on an object – this will trigger when a Directory Services object permission is added on the domain object.

  1. Set the rule name
  2. Set the alert category to “privilege escalation”
  3. Set resource type to “all values selected”
  4. Define the affected Object:
  5. File Server = DirectoryServices
  6. Choose the Domain object
  7. Create filter for DS object permission added

ex3

Running the report: How to detect permission change on the domain object

Permission changes on the domain object shouldn’t be common; anything that triggers this alert should be investigated.  Keep in mind, this is only a checkbox away from alerting on any DS permissions change (don’t forget to leave the “search in child objects unchecked!) – so generate a report to validate the alert before you deploy.

You’ll be able to see in this report if you’ve already been compromised by this attack as well.

ex-events-escalation

Once the rule is deployed, you can investigate this type of privilege escalation through the web UI:

ex-investigate-domain

Once that rule is set up, you’ll be able to monitor and protect against these types of security vulnerabilities, investigate Directory Services object events, and verify whether or not you’ve been affected by this vulnerability.

Check out the Microsoft security update as well – and reach out to your SE if you have any questions.

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:

1

Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

2

See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

3

Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

varonis-incident-response:-preventing-pii-exposure-in-box 
Varonis Incident Response: Preventing PII Exposure in Box 
Learn how the Varonis Incident Response team prevented PII from being compromised, and what this means for data in cloud collaboration platforms like Box.
how-to-prepare-for-major-shift-in-chatgpt-enterprise-data-access
How to Prepare for Major Shift in ChatGPT Enterprise Data Access
ChatGPT Enterprise is changing in the way it retrieves data and surfaces information to users in prompt responses. Learn about the new connectors and risks.
varonis-announces-strategic-partnership-with-microsoft-to-help-secure-the-future-of-ai
Varonis Announces Strategic Partnership with Microsoft to Help Secure the Future of AI
The companies have formed a strategic product partnership to deliver scalable data security, governance, and compliance for the AI era
hidden-risks-of-shadow-ai
Hidden Risks of Shadow AI
Shadow AI is on the rise as employees adopt unsanctioned AI tools. Learn the risks it poses to security and compliance, and how to manage it responsibly.