User:Ironedelephant/sandbox

PrivEchange Vulnerability
The PrivExchange Vulnerability was discovered in 2019 by Dirk-jan Mollema and was accompanied by a proof-of-concept (PoC) exploit. This vulnerability is significant as it can allow an attacker to gain significant privileges within a Microsoft domain after compromising any user within the network.

Details
The PrivExchange vulnerability is a privilege escalation vulnerability that can be executed by any attacker that has gained access to the Microsoft Active Directory domain in a network that has an onsite exchange server (as opposed to Office 365). It abused the fact that, by default, Exchange servers are installed with elevated domain privileges, are installed whith features that use NTLM authentications, and NTLM authentication is vulnerable to relay attacks. These vulnerabilities are combined together to allow an attacker who has gained access to the domain to gain "DCsync" capabilities. This allows an attacker to impersonate a domain controller in order to gain password hashes of elevated users within the domain.

Mitigation
Users should ensure that Exchange is installed with the lowest necessary privileges. LDAP and SMB signing should be enabled throughout the network. In February 2019, Microsoft released a critical patch. This change fixed "the notifications contract that is established between EWS clients and servers that are running Exchange Server not to allow authenticated notifications to be streamed by the server." Notifications are now sent with anonymous authentication, instead of elevated privileges.