STEALTHbits Technologies announced mitigation capabilities for a recently-discovered* Microsoft Exchange privilege escalation attack that lets any user become a Domain Admin. STEALTHbits is making the capabilities available as a free trial for 30 days upon registration and request.
The attack method was detailed in the January 24, 2019 post Abusing Exchange: One API call away from Domain Admin of researcher Dirk-jan Mollema. It combines known vulns to achieve privilege escalation and attack Active Directory, as follows:
An attacker sends a request to Exchange that causes Exchange to respond with an NTLM authentication request over HTTP;
Exchange responds, and because NTLM is susceptible to man-in-the-middle relay attacks all the attacker has to do is forward the authentication request to Active Directory, which
thinks the attacker’s machine is Exchange and treats it with the privileges that Exchange normally has. The attacker is able to create new admin accounts or modify privilege, and hacker toolkits like Mimikatz to perform a DCSync attack and obtain password hashes for any account in the domain. From there, the attacker can pretty much do anything they want to do.
Darin Pendergraft, VP at STEALTHbits Technologies:
“Attackers have figured out a way to trick Microsoft Exchange into sending its login information. If an attacker sends a specific type of command, the Exchange server responds with its login. The attacker records and then forwards that login to the Active Directory system. Active Directory then thinks the attacker is the Exchange server, which has a lot of powerful privileges on the system.
“Now logged in as the Exchange server, the attacker can request password information from Active Directory in order to take over other accounts and to steal or encrypt data.
“This is where STEALTHbits’ mitigation can help by detecting and blocking unusual login activity, watching for the creation of new admin accounts, and preventing the attacker from requesting password information from Active Directory.”