{"id":8638,"date":"2024-04-04T09:23:03","date_gmt":"2024-04-04T07:23:03","guid":{"rendered":"https:\/\/www.teal-consulting.de\/?p=8638"},"modified":"2024-06-17T10:16:38","modified_gmt":"2024-06-17T08:16:38","slug":"pwned-by-the-mail-carrier","status":"publish","type":"post","link":"https:\/\/www.teal-consulting.de\/en\/2024\/04\/04\/pwned-by-the-mail-carrier\/","title":{"rendered":"Pwned by the Mail Carrier"},"content":{"rendered":"<div class=\"wpb-content-wrapper\">[vc_row css_animation=&#8221;&#8221; row_type=&#8221;row&#8221; use_row_as_full_screen_section=&#8221;no&#8221; type=&#8221;full_width&#8221; angled_section=&#8221;no&#8221; text_align=&#8221;left&#8221; background_image_as_pattern=&#8221;without_pattern&#8221;][vc_column][vc_empty_space height=&#8221;30&#8243;][vc_row_inner row_type=&#8221;row&#8221; type=&#8221;full_width&#8221; text_align=&#8221;left&#8221; css_animation=&#8221;&#8221;][vc_column_inner][vc_column_text][\/vc_column_text][vc_empty_space height=&#8221;20&#8243;][vc_column_text]<strong>A guest article from our partner: <a href=\"https:\/\/specterops.io\/\" target=\"_blank\" rel=\"noopener\">SpecterOps<\/a><br \/>\nAuthor: Jonas B\u00fclow Knudsen (Product Architect)<\/strong>[\/vc_column_text][\/vc_column_inner][\/vc_row_inner][\/vc_column][\/vc_row][vc_row css_animation=&#8221;&#8221; row_type=&#8221;row&#8221; use_row_as_full_screen_section=&#8221;no&#8221; type=&#8221;full_width&#8221; angled_section=&#8221;no&#8221; text_align=&#8221;left&#8221; background_image_as_pattern=&#8221;without_pattern&#8221;][vc_column][vc_empty_space height=&#8221;50&#8243;][vc_column_text]\n<p id=\"8e6b\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\"><em class=\"nz\">How MS Exchange on-premises compromises Active Directory and what organizations can do to prevent that.<\/em><\/p>\n<p id=\"3de3\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">At SpecterOps, we recommend our customers establish a security boundary around their most critical assets (i.e.,\u00a0<a class=\"af oa\" href=\"https:\/\/posts.specterops.io\/what-is-tier-zero-part-1-e0da9b7cdfca\" target=\"_blank\" rel=\"noopener ugc nofollow\">Tier Zero<\/a>) of Active Directory (AD). We help them find and remediate the attack paths that cross this security boundary with\u00a0<a class=\"af oa\" href=\"https:\/\/bloodhoundenterprise.io\/\" target=\"_blank\" rel=\"noopener ugc nofollow\">BloodHound Enterprise<\/a>. One of the most common challenges we and our customers face is Microsoft Exchange on-premises (Exchange).<\/p>\n<p id=\"b5d4\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">If you compromise Exchange in AD, you are almost guaranteed an attack path to full control over the domain because of the extensive AD permissions Exchange has. It has been like this for many years; Microsoft has reduced many permissions, but the problem remains.<\/p>\n<p id=\"d7db\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">In this blog post, we will explore what permissions Exchange has in AD that an attacker can abuse to compromise the domain; what effect the different Exchange permission model has in terms of compromising AD permissions; and what organizations can do to reduce the permissions such that the compromise of Exchange does not provide an attack path to full control of the domain.<\/p>\n<p>&nbsp;<\/p>\n<h2 id=\"f91a\" class=\"ob oc gt be od oe of og oh oi oj ok ol om on oo op oq or os ot ou ov ow ox oy bj\">Acknowledgments<\/h2>\n<p>&nbsp;<\/p>\n<p id=\"be8a\" class=\"pw-post-body-paragraph nb nc gt nd b ne oz ng nh ni pa nk nl nm pb no np nq pc ns nt nu pd nw nx ny gm bj\" data-selectable-paragraph=\"\">A big thank you to the following people for their work which I have used in this blog post:<\/p>\n<ul class=\"\">\n<li id=\"4422\" class=\"nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny pe pf pg bj\" data-selectable-paragraph=\"\"><a class=\"af oa\" href=\"https:\/\/github.com\/gdedrouas\" target=\"_blank\" rel=\"noopener ugc nofollow\">G\u00e9raud de Drouas<\/a>\u00a0for the GitHub repo documenting Exchange AD attacks:\u00a0<a class=\"af oa\" href=\"https:\/\/github.com\/gdedrouas\/Exchange-AD-Privesc\/tree\/master\" target=\"_blank\" rel=\"noopener ugc nofollow\">Exchange-AD-Privesc<\/a><\/li>\n<li id=\"46e0\" class=\"nb nc gt nd b ne ph ng nh ni pi nk nl nm pj no np nq pk ns nt nu pl nw nx ny pe pf pg bj\" data-selectable-paragraph=\"\"><a class=\"af oa\" href=\"https:\/\/medium.com\/@esnesenon\" rel=\"noopener\" target=\"_blank\">Shay Ber<\/a>\u00a0for describing how DnsAdmins can compromise DCs:\u00a0<a class=\"af oa\" href=\"https:\/\/medium.com\/@esnesenon\/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83\" rel=\"noopener\" target=\"_blank\">Feature, not bug: DNSAdmin to DC compromise in one line<\/a><\/li>\n<li id=\"bcd8\" class=\"nb nc gt nd b ne ph ng nh ni pi nk nl nm pj no np nq pk ns nt nu pl nw nx ny pe pf pg bj\" data-selectable-paragraph=\"\"><a class=\"af oa\" href=\"https:\/\/twitter.com\/_dirkjan\" target=\"_blank\" rel=\"noopener ugc nofollow\">Dirk-jan Mollema<\/a>\u00a0for describing AD property sets:\u00a0<a class=\"af oa\" href=\"https:\/\/dirkjanm.io\/abusing-forgotten-permissions-on-precreated-computer-objects-in-active-directory\/\" target=\"_blank\" rel=\"noopener ugc nofollow\">Abusing forgotten permissions on computer objects in Active Directory<\/a><\/li>\n<li id=\"1d9e\" class=\"nb nc gt nd b ne ph ng nh ni pi nk nl nm pj no np nq pk ns nt nu pl nw nx ny pe pf pg bj\" data-selectable-paragraph=\"\"><a class=\"af oa\" href=\"https:\/\/medium.com\/@oliverlyak\" rel=\"noopener\" target=\"_blank\">Oliver Lyak<\/a>\u00a0for describing the ESC9 and ESC10 abuse techniques:\u00a0<a class=\"af oa\" href=\"https:\/\/research.ifcr.dk\/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7\" target=\"_blank\" rel=\"noopener ugc nofollow\">Certipy 4.0: ESC9 &amp; ESC10, BloodHound GUI, New Authentication and Request Methods \u2014 and more!<\/a><\/li>\n<li id=\"150e\" class=\"nb nc gt nd b ne ph ng nh ni pi nk nl nm pj no np nq pk ns nt nu pl nw nx ny pe pf pg bj\" data-selectable-paragraph=\"\"><a class=\"af oa\" href=\"https:\/\/twitter.com\/exploitph\" target=\"_blank\" rel=\"noopener ugc nofollow\">Charlie Clark<\/a>\u00a0for describing how explicit Kerberos mapping can be abused:\u00a0<a class=\"af oa\" href=\"https:\/\/exploit.ph\/cve-2021-42287-cve-2021-42278-weaponisation.html\" target=\"_blank\" rel=\"noopener ugc nofollow\">CVE-2021\u201342287\/CVE-2021\u201342278 Weaponisation<\/a><\/li>\n<li id=\"8fe7\" class=\"nb nc gt nd b ne ph ng nh ni pi nk nl nm pj no np nq pk ns nt nu pl nw nx ny pe pf pg bj\" data-selectable-paragraph=\"\"><a class=\"af oa\" href=\"https:\/\/twitter.com\/iansus\" target=\"_blank\" rel=\"noopener ugc nofollow\">Jean Marsault<\/a>\u00a0for describing how explicit certificate mapping can be abused:\u00a0<a class=\"af oa\" href=\"https:\/\/www.riskinsight-wavestone.com\/en\/2021\/06\/microsoft-adcs-abusing-pki-in-active-directory-environment\/#section-3-4\" target=\"_blank\" rel=\"noopener ugc nofollow\">Microsoft ADCS \u2014 Abusing PKI in Active Directory Environment<\/a><\/li>\n<li id=\"de29\" class=\"nb nc gt nd b ne ph ng nh ni pi nk nl nm pj no np nq pk ns nt nu pl nw nx ny pe pf pg bj\" data-selectable-paragraph=\"\"><a class=\"af oa\" href=\"https:\/\/www.linkedin.com\/in\/hans-joachim-knobloch-165527267\/\" target=\"_blank\" rel=\"noopener ugc nofollow\">Hans-Joachim Knobloch<\/a>\u00a0for describing how explicit certificate mapping can be abused:<a class=\"af oa\" href=\"https:\/\/pkiblog.knobloch.info\/nilpferde-ndes-und-goldene-zertifikate-als-schluessel-zum-ad\" target=\"_blank\" rel=\"noopener ugc nofollow\">\u00a0Nilpferde, NDES und goldene Zertifikate als Schl\u00fcssel zum AD<\/a><\/li>\n<li id=\"4f5f\" class=\"nb nc gt nd b ne ph ng nh ni pi nk nl nm pj no np nq pk ns nt nu pl nw nx ny pe pf pg bj\" data-selectable-paragraph=\"\"><a class=\"af oa\" href=\"https:\/\/www.alitajran.com\/\" target=\"_blank\" rel=\"noopener ugc nofollow\">Ali Tajran<\/a>\u00a0for describing how to remove Exchanges permissions in AD:\u00a0<a class=\"af oa\" href=\"https:\/\/www.alitajran.com\/how-to-remove-exchange-from-active-directory\/\" target=\"_blank\" rel=\"noopener ugc nofollow\">How to remove Exchange from Active Directory<\/a><\/li>\n<li id=\"83b1\" class=\"nb nc gt nd b ne ph ng nh ni pi nk nl nm pj no np nq pk ns nt nu pl nw nx ny pe pf pg bj\" data-selectable-paragraph=\"\"><a class=\"af oa\" href=\"https:\/\/www.linkedin.com\/company\/teal-technology-consulting-gmbh\/\" target=\"_blank\" rel=\"noopener ugc nofollow\">TEAL<\/a>\u00a0for describing how to configure relevant Exchange permissions in AD:\u00a0<a class=\"af oa\" href=\"https:\/\/www.teal-consulting.de\/en\/2023\/05\/15\/exchange-split-permission\/\" target=\"_blank\" rel=\"noopener ugc nofollow\">Exchange Split Permission \u2014 AD Permissions and Processes<\/a><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h2 id=\"6b4f\" class=\"ob oc gt be od oe of og oh oi oj ok ol om on oo op oq or os ot ou ov ow ox oy bj\">Exchange Attack Paths in the Past<\/h2>\n<p>&nbsp;<\/p>\n<p id=\"a450\" class=\"pw-post-body-paragraph nb nc gt nd b ne oz ng nh ni pa nk nl nm pb no np nq pc ns nt nu pd nw nx ny gm bj\" data-selectable-paragraph=\"\">When you install Exchange, the installation will create a set of Exchange AD groups for the Exchange admin users and the Exchange servers and grant those groups a lot of permissions in AD. Traditionally, that set of permissions has been very extensive and included permissions allowing Exchange to gain full control over the AD environment. For example, the group\u00a0<em class=\"nz\">Exchange Windows Permissions<\/em>\u00a0used to have\u00a0<a class=\"af oa\" href=\"https:\/\/support.bloodhoundenterprise.io\/hc\/en-us\/articles\/17312765477787-WriteDacl\" target=\"_blank\" rel=\"noopener ugc nofollow\"><em class=\"nz\">WriteDACL<\/em><\/a>\u00a0permission on the domain object by default, allowing the group to grant\u00a0<a class=\"af oa\" href=\"https:\/\/support.bloodhoundenterprise.io\/hc\/en-us\/articles\/17322385609371-DCSync\" target=\"_blank\" rel=\"noopener ugc nofollow\"><em class=\"nz\">DCSync<\/em><\/a>\u00a0permissions and thereby compromising the domain.<\/p>\n<figure class=\"pp pq pr ps pt pu pm pn paragraph-image\">\n<div class=\"pm pn po\"><picture><source srcset=\"https:\/\/miro.medium.com\/v2\/resize:fit:640\/format:webp\/0*P9vXYxGjbXyxLkLo 640w, https:\/\/miro.medium.com\/v2\/resize:fit:720\/format:webp\/0*P9vXYxGjbXyxLkLo 720w, https:\/\/miro.medium.com\/v2\/resize:fit:750\/format:webp\/0*P9vXYxGjbXyxLkLo 750w, https:\/\/miro.medium.com\/v2\/resize:fit:786\/format:webp\/0*P9vXYxGjbXyxLkLo 786w, https:\/\/miro.medium.com\/v2\/resize:fit:828\/format:webp\/0*P9vXYxGjbXyxLkLo 828w, https:\/\/miro.medium.com\/v2\/resize:fit:1100\/format:webp\/0*P9vXYxGjbXyxLkLo 1100w, https:\/\/miro.medium.com\/v2\/resize:fit:720\/format:webp\/0*P9vXYxGjbXyxLkLo 720w\" type=\"image\/webp\" sizes=\"(min-resolution: 4dppx) and (max-width: 700px) 50vw, (-webkit-min-device-pixel-ratio: 4) and (max-width: 700px) 50vw, (min-resolution: 3dppx) and (max-width: 700px) 67vw, (-webkit-min-device-pixel-ratio: 3) and (max-width: 700px) 65vw, (min-resolution: 2.5dppx) and (max-width: 700px) 80vw, (-webkit-min-device-pixel-ratio: 2.5) and (max-width: 700px) 80vw, (min-resolution: 2dppx) and (max-width: 700px) 100vw, (-webkit-min-device-pixel-ratio: 2) and (max-width: 700px) 100vw, 360px\" \/><source srcset=\"https:\/\/miro.medium.com\/v2\/resize:fit:640\/0*P9vXYxGjbXyxLkLo 640w, https:\/\/miro.medium.com\/v2\/resize:fit:720\/0*P9vXYxGjbXyxLkLo 720w, https:\/\/miro.medium.com\/v2\/resize:fit:750\/0*P9vXYxGjbXyxLkLo 750w, https:\/\/miro.medium.com\/v2\/resize:fit:786\/0*P9vXYxGjbXyxLkLo 786w, https:\/\/miro.medium.com\/v2\/resize:fit:828\/0*P9vXYxGjbXyxLkLo 828w, https:\/\/miro.medium.com\/v2\/resize:fit:1100\/0*P9vXYxGjbXyxLkLo 1100w, https:\/\/miro.medium.com\/v2\/resize:fit:720\/0*P9vXYxGjbXyxLkLo 720w\" sizes=\"(min-resolution: 4dppx) and (max-width: 700px) 50vw, (-webkit-min-device-pixel-ratio: 4) and (max-width: 700px) 50vw, (min-resolution: 3dppx) and (max-width: 700px) 67vw, (-webkit-min-device-pixel-ratio: 3) and (max-width: 700px) 65vw, (min-resolution: 2.5dppx) and (max-width: 700px) 80vw, (-webkit-min-device-pixel-ratio: 2.5) and (max-width: 700px) 80vw, (min-resolution: 2dppx) and (max-width: 700px) 100vw, (-webkit-min-device-pixel-ratio: 2) and (max-width: 700px) 100vw, 360px\" data-testid=\"og\" \/><img decoding=\"async\" class=\"bg mi pv c aligncenter\" role=\"presentation\" src=\"https:\/\/miro.medium.com\/v2\/resize:fit:720\/0*P9vXYxGjbXyxLkLo\" alt=\"\" width=\"360\" height=\"162\"><\/picture><\/div>\n<div><\/div>\n<\/figure>\n<p id=\"e304\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">However, Microsoft has reduced the Exchange permissions over time, such that an attacker that has compromised an Exchange server does not have a direct attack path to compromise the domain today. Microsoft fixed the WriteDACL permission on the domain object with a cumulative update for Exchange in 2019 (described\u00a0<a class=\"af oa\" href=\"https:\/\/support.microsoft.com\/en-us\/topic\/reducing-permissions-required-to-run-exchange-server-when-you-use-the-shared-permissions-model-e1972d47-d714-fd76-1fd5-7cdcb85408ed\" target=\"_blank\" rel=\"noopener ugc nofollow\">here<\/a>). Furthermore, the same update, \u201c<em class=\"nz\">returns all environments to a common, reduced directory permission profile<\/em>\u201d, meaning that the update removed old unnecessary permissions. Later the same year, Microsoft introduced two\u00a0<a class=\"af oa\" href=\"https:\/\/techcommunity.microsoft.com\/t5\/exchange-team-blog\/released-june-2019-quarterly-exchange-updates\/ba-p\/698398\" target=\"_blank\" rel=\"noopener ugc nofollow\">deny permissions on the DnsAdmins group<\/a>, to prevent Exchange groups from being able to compromise the domain using the attack described by\u00a0<a class=\"af oa\" href=\"https:\/\/medium.com\/@esnesenon\" rel=\"noopener\" target=\"_blank\">Shay Ber<\/a>\u00a0here:\u00a0<a class=\"af oa\" href=\"https:\/\/medium.com\/@esnesenon\/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83\" rel=\"noopener\" target=\"_blank\">Feature, not bug: DNSAdmin to DC compromise in one line<\/a>.<\/p>\n<p id=\"1774\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">Does that mean Exchange is harmless today? Not in the least.<\/p>\n[\/vc_column_text][vc_empty_space height=&#8221;40&#8243;][vc_row_inner row_type=&#8221;row&#8221; type=&#8221;full_width&#8221; text_align=&#8221;left&#8221; css_animation=&#8221;&#8221;][vc_column_inner][vc_column_text]\n<h2 id=\"1251\" class=\"ob oc gt be od oe of og oh oi oj ok ol om on oo op oq or os ot ou ov ow ox oy bj\">What Can Exchange Do Today, BloodHound?<\/h2>\n<p>&nbsp;<\/p>\n<p id=\"fd6a\" class=\"pw-post-body-paragraph nb nc gt nd b ne oz ng nh ni pa nk nl nm pb no np nq pc ns nt nu pd nw nx ny gm bj\" data-selectable-paragraph=\"\">I have installed Exchange Server 2019 in my AD lab with the default shared permissions model (more on the different permission models in the next section). Running\u00a0<a class=\"af oa\" href=\"https:\/\/github.com\/SpecterOps\/BloodHound\" target=\"_blank\" rel=\"noopener ugc nofollow\">BloodHound<\/a>\u00a0reveals that the\u00a0<em class=\"nz\">Exchange Windows Permissions<\/em>\u00a0group is still quite privileged in AD:<\/p>\n<figure class=\"pp pq pr ps pt pu pm pn paragraph-image\">\n<div class=\"px py fi pz bg qa\" tabindex=\"0\" role=\"button\">\n<div class=\"pm pn pw\"><picture><source srcset=\"https:\/\/miro.medium.com\/v2\/resize:fit:640\/format:webp\/0*DSaJfTsRp4EXxq4p 640w, https:\/\/miro.medium.com\/v2\/resize:fit:720\/format:webp\/0*DSaJfTsRp4EXxq4p 720w, https:\/\/miro.medium.com\/v2\/resize:fit:750\/format:webp\/0*DSaJfTsRp4EXxq4p 750w, https:\/\/miro.medium.com\/v2\/resize:fit:786\/format:webp\/0*DSaJfTsRp4EXxq4p 786w, https:\/\/miro.medium.com\/v2\/resize:fit:828\/format:webp\/0*DSaJfTsRp4EXxq4p 828w, https:\/\/miro.medium.com\/v2\/resize:fit:1100\/format:webp\/0*DSaJfTsRp4EXxq4p 1100w, https:\/\/miro.medium.com\/v2\/resize:fit:1400\/format:webp\/0*DSaJfTsRp4EXxq4p 1400w\" type=\"image\/webp\" sizes=\"(min-resolution: 4dppx) and (max-width: 700px) 50vw, (-webkit-min-device-pixel-ratio: 4) and (max-width: 700px) 50vw, (min-resolution: 3dppx) and (max-width: 700px) 67vw, (-webkit-min-device-pixel-ratio: 3) and (max-width: 700px) 65vw, (min-resolution: 2.5dppx) and (max-width: 700px) 80vw, (-webkit-min-device-pixel-ratio: 2.5) and (max-width: 700px) 80vw, (min-resolution: 2dppx) and (max-width: 700px) 100vw, (-webkit-min-device-pixel-ratio: 2) and (max-width: 700px) 100vw, 700px\" \/><source srcset=\"https:\/\/miro.medium.com\/v2\/resize:fit:640\/0*DSaJfTsRp4EXxq4p 640w, https:\/\/miro.medium.com\/v2\/resize:fit:720\/0*DSaJfTsRp4EXxq4p 720w, https:\/\/miro.medium.com\/v2\/resize:fit:750\/0*DSaJfTsRp4EXxq4p 750w, https:\/\/miro.medium.com\/v2\/resize:fit:786\/0*DSaJfTsRp4EXxq4p 786w, https:\/\/miro.medium.com\/v2\/resize:fit:828\/0*DSaJfTsRp4EXxq4p 828w, https:\/\/miro.medium.com\/v2\/resize:fit:1100\/0*DSaJfTsRp4EXxq4p 1100w, https:\/\/miro.medium.com\/v2\/resize:fit:1400\/0*DSaJfTsRp4EXxq4p 1400w\" sizes=\"(min-resolution: 4dppx) and (max-width: 700px) 50vw, (-webkit-min-device-pixel-ratio: 4) and (max-width: 700px) 50vw, (min-resolution: 3dppx) and (max-width: 700px) 67vw, (-webkit-min-device-pixel-ratio: 3) and (max-width: 700px) 65vw, (min-resolution: 2.5dppx) and (max-width: 700px) 80vw, (-webkit-min-device-pixel-ratio: 2.5) and (max-width: 700px) 80vw, (min-resolution: 2dppx) and (max-width: 700px) 100vw, (-webkit-min-device-pixel-ratio: 2) and (max-width: 700px) 100vw, 700px\" data-testid=\"og\" \/><img decoding=\"async\" class=\"bg mi pv c alignnone\" role=\"presentation\" src=\"https:\/\/miro.medium.com\/v2\/resize:fit:1400\/0*DSaJfTsRp4EXxq4p\" alt=\"\" width=\"700\" height=\"528\"><\/picture><\/div>\n<\/div>\n<\/figure>\n<div><\/div>\n<div>\n<p id=\"ec44\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">Exchange Windows Permissions has the following compromising permissions:<\/p>\n<p id=\"c629\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">On users (without ACL inheritance disabled)<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul class=\"\">\n<li id=\"e7b9\" class=\"nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny pe pf pg bj\" data-selectable-paragraph=\"\"><a class=\"af oa\" href=\"https:\/\/support.bloodhoundenterprise.io\/hc\/en-us\/articles\/17312765477787-WriteDacl\" target=\"_blank\" rel=\"noopener ugc nofollow\">WriteDACL<\/a>: Permission to add any permission, including full control<\/li>\n<li id=\"5ed3\" class=\"nb nc gt nd b ne ph ng nh ni pi nk nl nm pj no np nq pk ns nt nu pl nw nx ny pe pf pg bj\" data-selectable-paragraph=\"\"><a class=\"af oa\" href=\"https:\/\/support.bloodhoundenterprise.io\/hc\/en-us\/articles\/17223286750747-ForceChangePassword\" target=\"_blank\" rel=\"noopener ugc nofollow\">ForceChangePassword<\/a>: Permission to reset the user\u2019s password<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p id=\"e138\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">On groups (without ACL inheritance disabled)<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul class=\"\">\n<li id=\"f298\" class=\"nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny pe pf pg bj\" data-selectable-paragraph=\"\"><a class=\"af oa\" href=\"https:\/\/support.bloodhoundenterprise.io\/hc\/en-us\/articles\/17357900321947-AddMember\" target=\"_blank\" rel=\"noopener ugc nofollow\">AddMember<\/a>: Permission to add members to the group<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p id=\"c657\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">The permissions effectively allow you to compromise the users and groups in the sense that you can log in as the users and you can obtain membership in the groups. The permissions are set on the domain object with Access Control List (ACL) inheritance set to users\/groups and will therefore apply to all users and groups in the domain except the ones having ACL inheritance disabled, like the users and groups that are\u00a0<a class=\"af oa\" href=\"https:\/\/learn.microsoft.com\/en-us\/windows-server\/identity\/ad-ds\/plan\/security-best-practices\/appendix-c--protected-accounts-and-groups-in-active-directory#protected-groups\" target=\"_blank\" rel=\"noopener ugc nofollow\"><em class=\"nz\">AdminSDHolder<\/em><\/a>\u00a0protected:<\/p>\n<p data-selectable-paragraph=\"\"><img decoding=\"async\" class=\"size-full wp-image-8641 alignnone lazyload\" data-src=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2024\/04\/Bildschirmfoto-2024-04-02-um-14.22.14.png\" alt=\"\" width=\"695\" height=\"370\" data-srcset=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2024\/04\/Bildschirmfoto-2024-04-02-um-14.22.14.png 695w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2024\/04\/Bildschirmfoto-2024-04-02-um-14.22.14-300x160.png 300w\" data-sizes=\"(max-width: 695px) 100vw, 695px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 695px; --smush-placeholder-aspect-ratio: 695\/370;\" \/><\/p>\n<\/div>\n<p id=\"1bf0\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">Be aware that AdminSDHolder also protects the members of the above groups, including nested members, but not computer object members. The AdminSDHolder protection only works because the AdminSDHolder object has ACL inheritance disabled. The protection will become ineffective if you enable ACL inheritance on the object.<\/p>\n<p id=\"b776\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">The Exchange Windows Permissions group has the Exchange servers of the AD environment as members through the\u00a0<em class=\"nz\">Exchange Trusted Subsystem<\/em>\u00a0group by default. Both groups and the exchange servers are under the control of a third Exchange group called\u00a0<em class=\"nz\">Organization Management<\/em>:<\/p>\n<figure class=\"pp pq pr ps pt pu pm pn paragraph-image\">\n<div class=\"px py fi pz bg qa\" tabindex=\"0\" role=\"button\">\n<div class=\"pm pn pw\"><picture><source srcset=\"https:\/\/miro.medium.com\/v2\/resize:fit:640\/format:webp\/0*WOSHFgxhCCwn0S7i 640w, https:\/\/miro.medium.com\/v2\/resize:fit:720\/format:webp\/0*WOSHFgxhCCwn0S7i 720w, https:\/\/miro.medium.com\/v2\/resize:fit:750\/format:webp\/0*WOSHFgxhCCwn0S7i 750w, https:\/\/miro.medium.com\/v2\/resize:fit:786\/format:webp\/0*WOSHFgxhCCwn0S7i 786w, https:\/\/miro.medium.com\/v2\/resize:fit:828\/format:webp\/0*WOSHFgxhCCwn0S7i 828w, https:\/\/miro.medium.com\/v2\/resize:fit:1100\/format:webp\/0*WOSHFgxhCCwn0S7i 1100w, https:\/\/miro.medium.com\/v2\/resize:fit:1400\/format:webp\/0*WOSHFgxhCCwn0S7i 1400w\" type=\"image\/webp\" sizes=\"(min-resolution: 4dppx) and (max-width: 700px) 50vw, (-webkit-min-device-pixel-ratio: 4) and (max-width: 700px) 50vw, (min-resolution: 3dppx) and (max-width: 700px) 67vw, (-webkit-min-device-pixel-ratio: 3) and (max-width: 700px) 65vw, (min-resolution: 2.5dppx) and (max-width: 700px) 80vw, (-webkit-min-device-pixel-ratio: 2.5) and (max-width: 700px) 80vw, (min-resolution: 2dppx) and (max-width: 700px) 100vw, (-webkit-min-device-pixel-ratio: 2) and (max-width: 700px) 100vw, 700px\" \/><source srcset=\"https:\/\/miro.medium.com\/v2\/resize:fit:640\/0*WOSHFgxhCCwn0S7i 640w, https:\/\/miro.medium.com\/v2\/resize:fit:720\/0*WOSHFgxhCCwn0S7i 720w, https:\/\/miro.medium.com\/v2\/resize:fit:750\/0*WOSHFgxhCCwn0S7i 750w, https:\/\/miro.medium.com\/v2\/resize:fit:786\/0*WOSHFgxhCCwn0S7i 786w, https:\/\/miro.medium.com\/v2\/resize:fit:828\/0*WOSHFgxhCCwn0S7i 828w, https:\/\/miro.medium.com\/v2\/resize:fit:1100\/0*WOSHFgxhCCwn0S7i 1100w, https:\/\/miro.medium.com\/v2\/resize:fit:1400\/0*WOSHFgxhCCwn0S7i 1400w\" sizes=\"(min-resolution: 4dppx) and (max-width: 700px) 50vw, (-webkit-min-device-pixel-ratio: 4) and (max-width: 700px) 50vw, (min-resolution: 3dppx) and (max-width: 700px) 67vw, (-webkit-min-device-pixel-ratio: 3) and (max-width: 700px) 65vw, (min-resolution: 2.5dppx) and (max-width: 700px) 80vw, (-webkit-min-device-pixel-ratio: 2.5) and (max-width: 700px) 80vw, (min-resolution: 2dppx) and (max-width: 700px) 100vw, (-webkit-min-device-pixel-ratio: 2) and (max-width: 700px) 100vw, 700px\" data-testid=\"og\" \/><img decoding=\"async\" class=\"bg mi pv c\" role=\"presentation\" src=\"https:\/\/miro.medium.com\/v2\/resize:fit:1400\/0*WOSHFgxhCCwn0S7i\" alt=\"\" width=\"700\" height=\"341\"><\/picture><\/div>\n<\/div>\n<\/figure>\n<p id=\"9612\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">The Organization Management group will have the Exchange admin users as members; this means that compromising either the Exchange servers or an Exchange admin user provides the privileges of the Exchange Windows Permissions group.<\/p>\n<p id=\"119c\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">The permissions of the Exchange Windows Permissions group do not enable you to compromise the domain by default, as Domain Admins members and other privileged users are AdminSDHolder protected and not under Exchange Windows Permissions\u2019 control. However, AdminSDHolder does not protect all Tier Zero users and groups and Exchange Windows Permissions will likely have an attack path to the domain anyway. For example, you can compromise any service account with the default ACL inheritance enabled. A common example of a Tier Zero service account is the Microsoft Entra Connect (formerly known as Azure AD Connect) service account ( i.e.,\u00a0<em class=\"nz\">AD DS Connector Account<\/em>, typically named\u00a0<code class=\"cw qk ql qm qc b\">MSOL_nnnnnnnnnnnn<\/code>). This account is very privileged in most configurations. For example, it must have\u00a0<a class=\"af oa\" href=\"https:\/\/support.bloodhoundenterprise.io\/hc\/en-us\/articles\/17322126217371-GetChanges\" target=\"_blank\" rel=\"noopener ugc nofollow\"><em class=\"nz\">GetChanges<\/em><\/a>\u00a0and\u00a0<a class=\"af oa\" href=\"https:\/\/support.bloodhoundenterprise.io\/hc\/en-us\/articles\/17362283577627-GetChangesAll\" target=\"_blank\" rel=\"noopener ugc nofollow\"><em class=\"nz\">GetChangesAll<\/em><\/a>\u00a0permissions on the domain object for the password hash sync feature to work, as Microsoft describes\u00a0<a class=\"af oa\" href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/hybrid\/connect\/how-to-connect-configure-ad-ds-connector-account#permissions-summary\" target=\"_blank\" rel=\"noopener ugc nofollow\">here<\/a>. These permissions enable the DCSync attack which compromises the entire AD domain. You can protect the service account from inherited permissions by performing the\u00a0<a class=\"af oa\" href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/hybrid\/connect\/how-to-connect-configure-ad-ds-connector-account#restrict-permissions-on-the-ad-ds-connector-account\" target=\"_blank\" rel=\"noopener ugc nofollow\"><em class=\"nz\">Restrict Permissions on the AD DS Connector Account<\/em><\/a>\u00a0step of the Microsoft Entra Connect setup, but I have personally seen\u00a0<strong class=\"nd gu\">many<\/strong>\u00a0environments where this has not been done and where there is an attack path from the Exchange Windows Permissions group to the domain through the AD DS Connector Account:<\/p>\n<figure class=\"pp pq pr ps pt pu pm pn paragraph-image\">\n<div class=\"px py fi pz bg qa\" tabindex=\"0\" role=\"button\">\n<div class=\"pm pn pw\"><picture><source srcset=\"https:\/\/miro.medium.com\/v2\/resize:fit:640\/format:webp\/0*pCQwHZ48zYkyICVg 640w, https:\/\/miro.medium.com\/v2\/resize:fit:720\/format:webp\/0*pCQwHZ48zYkyICVg 720w, https:\/\/miro.medium.com\/v2\/resize:fit:750\/format:webp\/0*pCQwHZ48zYkyICVg 750w, https:\/\/miro.medium.com\/v2\/resize:fit:786\/format:webp\/0*pCQwHZ48zYkyICVg 786w, https:\/\/miro.medium.com\/v2\/resize:fit:828\/format:webp\/0*pCQwHZ48zYkyICVg 828w, https:\/\/miro.medium.com\/v2\/resize:fit:1100\/format:webp\/0*pCQwHZ48zYkyICVg 1100w, https:\/\/miro.medium.com\/v2\/resize:fit:1400\/format:webp\/0*pCQwHZ48zYkyICVg 1400w\" type=\"image\/webp\" sizes=\"(min-resolution: 4dppx) and (max-width: 700px) 50vw, (-webkit-min-device-pixel-ratio: 4) and (max-width: 700px) 50vw, (min-resolution: 3dppx) and (max-width: 700px) 67vw, (-webkit-min-device-pixel-ratio: 3) and (max-width: 700px) 65vw, (min-resolution: 2.5dppx) and (max-width: 700px) 80vw, (-webkit-min-device-pixel-ratio: 2.5) and (max-width: 700px) 80vw, (min-resolution: 2dppx) and (max-width: 700px) 100vw, (-webkit-min-device-pixel-ratio: 2) and (max-width: 700px) 100vw, 700px\" \/><source srcset=\"https:\/\/miro.medium.com\/v2\/resize:fit:640\/0*pCQwHZ48zYkyICVg 640w, https:\/\/miro.medium.com\/v2\/resize:fit:720\/0*pCQwHZ48zYkyICVg 720w, https:\/\/miro.medium.com\/v2\/resize:fit:750\/0*pCQwHZ48zYkyICVg 750w, https:\/\/miro.medium.com\/v2\/resize:fit:786\/0*pCQwHZ48zYkyICVg 786w, https:\/\/miro.medium.com\/v2\/resize:fit:828\/0*pCQwHZ48zYkyICVg 828w, https:\/\/miro.medium.com\/v2\/resize:fit:1100\/0*pCQwHZ48zYkyICVg 1100w, https:\/\/miro.medium.com\/v2\/resize:fit:1400\/0*pCQwHZ48zYkyICVg 1400w\" sizes=\"(min-resolution: 4dppx) and (max-width: 700px) 50vw, (-webkit-min-device-pixel-ratio: 4) and (max-width: 700px) 50vw, (min-resolution: 3dppx) and (max-width: 700px) 67vw, (-webkit-min-device-pixel-ratio: 3) and (max-width: 700px) 65vw, (min-resolution: 2.5dppx) and (max-width: 700px) 80vw, (-webkit-min-device-pixel-ratio: 2.5) and (max-width: 700px) 80vw, (min-resolution: 2dppx) and (max-width: 700px) 100vw, (-webkit-min-device-pixel-ratio: 2) and (max-width: 700px) 100vw, 700px\" data-testid=\"og\" \/><img decoding=\"async\" class=\"bg mi pv c\" role=\"presentation\" src=\"https:\/\/miro.medium.com\/v2\/resize:fit:1400\/0*pCQwHZ48zYkyICVg\" alt=\"\" width=\"700\" height=\"120\"><\/picture><\/div>\n<\/div>\n<\/figure>\n<p id=\"5408\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">It is also important to remember that the attacker may not need to compromise the domain to execute their objectives. Suppose they have one or more business-critical systems as targets. In that case, they probably do not need to compromise Domain Admins to get to those targets and the Exchange Windows Permissions group will likely have an attack path to the systems with its extensive permissions.<\/p>\n<p id=\"8570\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">The above Exchange permissions are true for Exchange configured in the default shared permissions model. What if you have configured Exchange in a more strict permission model? We will in the next section answer that question by taking a deeper dive into the AD permissions granted in the three Exchange permission models.<\/p>\n<h2 id=\"5b73\" class=\"ob oc gt be od oe of og oh oi oj ok ol om on oo op oq or os ot ou ov ow ox oy bj\">Exchange Models and Permissions in AD<\/h2>\n<p>&nbsp;<\/p>\n<p id=\"0b14\" class=\"pw-post-body-paragraph nb nc gt nd b ne oz ng nh ni pa nk nl nm pb no np nq pc ns nt nu pd nw nx ny gm bj\" data-selectable-paragraph=\"\">You can configure Exchange after three different permission models:<\/p>\n<ol>\n<li style=\"list-style-type: none;\">\n<ol>\n<li style=\"list-style-type: none;\">\n<ol class=\"\">\n<li id=\"b5b1\" class=\"nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny qn pf pg bj\" data-selectable-paragraph=\"\">Shared permission model (default)<\/li>\n<li id=\"71d6\" class=\"nb nc gt nd b ne ph ng nh ni pi nk nl nm pj no np nq pk ns nt nu pl nw nx ny qn pf pg bj\" data-selectable-paragraph=\"\">Role-Based Access Control (RBAC) split permissions model<\/li>\n<li id=\"fba1\" class=\"nb nc gt nd b ne ph ng nh ni pi nk nl nm pj no np nq pk ns nt nu pl nw nx ny qn pf pg bj\" data-selectable-paragraph=\"\">AD split permissions model<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<p id=\"aad0\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">The purpose of the split models is to facilitate a management split of Exchange and AD. You can find Microsoft documentation for the models at\u00a0<a class=\"af oa\" href=\"https:\/\/learn.microsoft.com\/en-us\/exchange\/permissions\/split-permissions\/split-permissions?view=exchserver-2019\" target=\"_blank\" rel=\"noopener ugc nofollow\">Split permissions in Exchange Server<\/a>.<\/p>\n<p id=\"dc81\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">Microsoft has documented the AD permissions of Exchange in the\u00a0<a class=\"af oa\" href=\"https:\/\/learn.microsoft.com\/en-us\/exchange\/exchange-2013-deployment-permissions-reference-exchange-2013-help?redirectedfrom=MSDN\" target=\"_blank\" rel=\"noopener ugc nofollow\">Exchange 2013 deployment permissions reference<\/a>, but there is no similar documentation for Exchange 2016 and Exchange 2019 to my knowledge, unfortunately. Therefore, to check the AD permissions of Exchange in the different models, I installed Exchange Server 2019 in the default shared permission model in my lab, changed it to the RBAC split permission model, and changed it to the AD split permission model. Between each step, I ran SharpHound and a PowerShell script to list all non-inherited Access Control Entries (ACEs) of AD objects in the Domain Naming Context (NC), the Configuration NC, and the Schema (including the default security descriptor) using\u00a0<a class=\"af oa\" href=\"https:\/\/github.com\/JonasBK\/Powershell\/blob\/master\/Get-AllADACLs.ps1\" target=\"_blank\" rel=\"noopener ugc nofollow\">Get-AllADACLs.ps1<\/a>. This allowed me to use\u00a0<a class=\"af oa\" href=\"https:\/\/github.com\/JonasBK\/Powershell\/blob\/master\/Get-ACLDiff.ps1\" target=\"_blank\" rel=\"noopener ugc nofollow\">Get-ACLDiff.ps1<\/a>\u00a0to review and compare the AD permissions of the different models.<\/p>\n<p id=\"b3de\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">Before we dive into the AD permissions of the different models, it is important to have a basic understanding of\u00a0<em class=\"nz\">Exchange Roles and RBAC<\/em>.<\/p>\n<p>&nbsp;<\/p>\n<h3 id=\"24e9\" class=\"qo oc gt be od qp qq dx oh qr qs dz ol nm qt qu qv nq qw qx qy nu qz ra rb rc bj\">Exchange Roles and RBAC<\/h3>\n<p id=\"b12d\" class=\"pw-post-body-paragraph nb nc gt nd b ne oz ng nh ni pa nk nl nm pb no np nq pc ns nt nu pd nw nx ny gm bj\" data-selectable-paragraph=\"\">Exchange has its own RBAC authorization system. When a user attempts to perform an action in the Exchange Management Shell or the Exchange Admin Center interface, Exchange checks whether the user has an\u00a0<em class=\"nz\">Exchange role\u00a0<\/em>that allows the user to perform the action according to the RBAC model. If RBAC authorizes the user, the user can perform the action regardless of their AD permissions. It is Exchange that executes the action, so AD will only allow the action if the Exchange server\u2019s computer object has the required permissions in AD. The Exchange server has its permissions through the Exchange Trusted Subsystem group and Exchange Windows Permissions group, which we saw in the previous section.<\/p>\n<p id=\"8c28\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">The administrative Exchange roles exist in AD as universal security groups:<\/p>\n<figure class=\"pp pq pr ps pt pu pm pn paragraph-image\">\n<div class=\"px py fi pz bg qa\" tabindex=\"0\" role=\"button\">\n<div class=\"pm pn pw\"><picture><source srcset=\"https:\/\/miro.medium.com\/v2\/resize:fit:640\/format:webp\/0*Tu9xF30mAe_R96Dv 640w, https:\/\/miro.medium.com\/v2\/resize:fit:720\/format:webp\/0*Tu9xF30mAe_R96Dv 720w, https:\/\/miro.medium.com\/v2\/resize:fit:750\/format:webp\/0*Tu9xF30mAe_R96Dv 750w, https:\/\/miro.medium.com\/v2\/resize:fit:786\/format:webp\/0*Tu9xF30mAe_R96Dv 786w, https:\/\/miro.medium.com\/v2\/resize:fit:828\/format:webp\/0*Tu9xF30mAe_R96Dv 828w, https:\/\/miro.medium.com\/v2\/resize:fit:1100\/format:webp\/0*Tu9xF30mAe_R96Dv 1100w, https:\/\/miro.medium.com\/v2\/resize:fit:1400\/format:webp\/0*Tu9xF30mAe_R96Dv 1400w\" type=\"image\/webp\" sizes=\"(min-resolution: 4dppx) and (max-width: 700px) 50vw, (-webkit-min-device-pixel-ratio: 4) and (max-width: 700px) 50vw, (min-resolution: 3dppx) and (max-width: 700px) 67vw, (-webkit-min-device-pixel-ratio: 3) and (max-width: 700px) 65vw, (min-resolution: 2.5dppx) and (max-width: 700px) 80vw, (-webkit-min-device-pixel-ratio: 2.5) and (max-width: 700px) 80vw, (min-resolution: 2dppx) and (max-width: 700px) 100vw, (-webkit-min-device-pixel-ratio: 2) and (max-width: 700px) 100vw, 700px\" \/><source srcset=\"https:\/\/miro.medium.com\/v2\/resize:fit:640\/0*Tu9xF30mAe_R96Dv 640w, https:\/\/miro.medium.com\/v2\/resize:fit:720\/0*Tu9xF30mAe_R96Dv 720w, https:\/\/miro.medium.com\/v2\/resize:fit:750\/0*Tu9xF30mAe_R96Dv 750w, https:\/\/miro.medium.com\/v2\/resize:fit:786\/0*Tu9xF30mAe_R96Dv 786w, https:\/\/miro.medium.com\/v2\/resize:fit:828\/0*Tu9xF30mAe_R96Dv 828w, https:\/\/miro.medium.com\/v2\/resize:fit:1100\/0*Tu9xF30mAe_R96Dv 1100w, https:\/\/miro.medium.com\/v2\/resize:fit:1400\/0*Tu9xF30mAe_R96Dv 1400w\" sizes=\"(min-resolution: 4dppx) and (max-width: 700px) 50vw, (-webkit-min-device-pixel-ratio: 4) and (max-width: 700px) 50vw, (min-resolution: 3dppx) and (max-width: 700px) 67vw, (-webkit-min-device-pixel-ratio: 3) and (max-width: 700px) 65vw, (min-resolution: 2.5dppx) and (max-width: 700px) 80vw, (-webkit-min-device-pixel-ratio: 2.5) and (max-width: 700px) 80vw, (min-resolution: 2dppx) and (max-width: 700px) 100vw, (-webkit-min-device-pixel-ratio: 2) and (max-width: 700px) 100vw, 700px\" data-testid=\"og\" \/><img decoding=\"async\" class=\"bg mi pv c\" role=\"presentation\" src=\"https:\/\/miro.medium.com\/v2\/resize:fit:1400\/0*Tu9xF30mAe_R96Dv\" alt=\"\" width=\"700\" height=\"356\"><\/picture><\/div>\n<\/div>\n<\/figure>\n<p id=\"3be0\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">This includes the Organization Management group, which is the most privileged Exchange role. We will not cover what each of the Exchange role groups can do, as our focus for this blog post is what an attacker can do if they compromise Exchange and not just a limited Exchange role.<\/p>\n<h3 id=\"faab\" class=\"qo oc gt be od qp qq dx oh qr qs dz ol nm qt qu qv nq qw qx qy nu qz ra rb rc bj\">Exchange Shared Permission Model<\/h3>\n<p id=\"25be\" class=\"pw-post-body-paragraph nb nc gt nd b ne oz ng nh ni pa nk nl nm pb no np nq pc ns nt nu pd nw nx ny gm bj\" data-selectable-paragraph=\"\">The shared permission model is the default model. Exchange Trusted Subsystem, Exchange Windows Permissions, and some of the Exchange role groups have permissions in AD with this model; however, most of the permissions are non-compromising like read and write access to Exchange-specific attributes. The permissions that result in outbound BloodHound edges to non-Exchange objects are the ones described in the\u00a0<a class=\"af oa\" href=\"https:\/\/posts.specterops.io\/pwned-by-the-mail-carrier-0750edfad43b#1251\" rel=\"noopener ugc nofollow\" target=\"_blank\"><em class=\"nz\">What Can Exchange Do Today, BloodHound?<\/em><\/a><em class=\"nz\">\u00a0s<\/em>ection.<\/p>\n<p id=\"8bbd\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">You can see all the AD permissions added to existing AD objects of my AD lab when I installed Exchange Server 2019 here:\u00a0<a class=\"af oa\" href=\"https:\/\/github.com\/JonasBK\/Exchange-AD-ACL-testing\/tree\/main\/01%20Exchange%20installed%20diff\" target=\"_blank\" rel=\"noopener ugc nofollow\">Exchange-AD-ACL-testing\/01 Exchange installed diff<\/a>.<\/p>\n<h3 id=\"9949\" class=\"qo oc gt be od qp qq dx oh qr qs dz ol nm qt qu qv nq qw qx qy nu qz ra rb rc bj\">Exchange RBAC Split Permissions Model<\/h3>\n<p id=\"ae8f\" class=\"pw-post-body-paragraph nb nc gt nd b ne oz ng nh ni pa nk nl nm pb no np nq pc ns nt nu pd nw nx ny gm bj\" data-selectable-paragraph=\"\">The RBAC split model is Microsoft\u2019s favorite: (from\u00a0<a class=\"af oa\" href=\"https:\/\/learn.microsoft.com\/en-us\/exchange\/permissions\/split-permissions\/split-permissions?view=exchserver-2019#split-permissions\" target=\"_blank\" rel=\"noopener ugc nofollow\">Microsoft\u2019s documentation<\/a>)<\/p>\n<blockquote class=\"re rf rg\">\n<p id=\"a9c7\" class=\"nb nc nz nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">\u201cIf your organization chooses to use a split permissions model instead of shared permissions, we recommend that you use the RBAC split permissions model. The RBAC split permissions model provides significantly more flexibility while providing the nearly same administration separation as Active Directory split permissions, with the exception that Exchange servers and services can create security principals in the RBAC split permissions model.\u201d<\/p>\n<\/blockquote>\n<p id=\"4dd2\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">It sounds promising, but what I found when I changed my Exchange deployment to this model was that not a single ACE in the Domain NC was added or removed outside the\u00a0<em class=\"nz\">Microsoft Exchange Security Groups<\/em>\u00a0Organizational Unit (OU) and the\u00a0<em class=\"nz\">Microsoft Exchange System Objects<\/em>\u00a0container. Likewise, in the Configuration NC, there were only changes in the\u00a0<em class=\"nz\">Microsoft Exchange<\/em>\u00a0container. The attack paths under the shared permission model from the Exchange server\/admin to users and groups are therefore also valid in the RBAC split model.<\/p>\n<figure class=\"pp pq pr ps pt pu pm pn paragraph-image\">\n<div class=\"pm pn cg\"><picture><source srcset=\"https:\/\/miro.medium.com\/v2\/resize:fit:640\/format:webp\/0*DBlITFBv3GcZ2nwq 640w, https:\/\/miro.medium.com\/v2\/resize:fit:720\/format:webp\/0*DBlITFBv3GcZ2nwq 720w, https:\/\/miro.medium.com\/v2\/resize:fit:750\/format:webp\/0*DBlITFBv3GcZ2nwq 750w, https:\/\/miro.medium.com\/v2\/resize:fit:786\/format:webp\/0*DBlITFBv3GcZ2nwq 786w, https:\/\/miro.medium.com\/v2\/resize:fit:828\/format:webp\/0*DBlITFBv3GcZ2nwq 828w, https:\/\/miro.medium.com\/v2\/resize:fit:1100\/format:webp\/0*DBlITFBv3GcZ2nwq 1100w, https:\/\/miro.medium.com\/v2\/resize:fit:1360\/format:webp\/0*DBlITFBv3GcZ2nwq 1360w\" type=\"image\/webp\" sizes=\"(min-resolution: 4dppx) and (max-width: 700px) 50vw, (-webkit-min-device-pixel-ratio: 4) and (max-width: 700px) 50vw, (min-resolution: 3dppx) and (max-width: 700px) 67vw, (-webkit-min-device-pixel-ratio: 3) and (max-width: 700px) 65vw, (min-resolution: 2.5dppx) and (max-width: 700px) 80vw, (-webkit-min-device-pixel-ratio: 2.5) and (max-width: 700px) 80vw, (min-resolution: 2dppx) and (max-width: 700px) 100vw, (-webkit-min-device-pixel-ratio: 2) and (max-width: 700px) 100vw, 680px\" \/><source srcset=\"https:\/\/miro.medium.com\/v2\/resize:fit:640\/0*DBlITFBv3GcZ2nwq 640w, https:\/\/miro.medium.com\/v2\/resize:fit:720\/0*DBlITFBv3GcZ2nwq 720w, https:\/\/miro.medium.com\/v2\/resize:fit:750\/0*DBlITFBv3GcZ2nwq 750w, https:\/\/miro.medium.com\/v2\/resize:fit:786\/0*DBlITFBv3GcZ2nwq 786w, https:\/\/miro.medium.com\/v2\/resize:fit:828\/0*DBlITFBv3GcZ2nwq 828w, https:\/\/miro.medium.com\/v2\/resize:fit:1100\/0*DBlITFBv3GcZ2nwq 1100w, https:\/\/miro.medium.com\/v2\/resize:fit:1360\/0*DBlITFBv3GcZ2nwq 1360w\" sizes=\"(min-resolution: 4dppx) and (max-width: 700px) 50vw, (-webkit-min-device-pixel-ratio: 4) and (max-width: 700px) 50vw, (min-resolution: 3dppx) and (max-width: 700px) 67vw, (-webkit-min-device-pixel-ratio: 3) and (max-width: 700px) 65vw, (min-resolution: 2.5dppx) and (max-width: 700px) 80vw, (-webkit-min-device-pixel-ratio: 2.5) and (max-width: 700px) 80vw, (min-resolution: 2dppx) and (max-width: 700px) 100vw, (-webkit-min-device-pixel-ratio: 2) and (max-width: 700px) 100vw, 680px\" data-testid=\"og\" \/><img decoding=\"async\" class=\"bg mi pv c\" role=\"presentation\" src=\"https:\/\/miro.medium.com\/v2\/resize:fit:1360\/0*DBlITFBv3GcZ2nwq\" alt=\"\" width=\"680\" height=\"762\"><\/picture><\/div>\n<\/figure>\n<p id=\"7bd0\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">From the documentation of the model, we can read that the \u201cRBAC split\u201d refers to the permission being split in Exchange RBAC rather than in AD. This explains why we do not see more changes in AD. So, to be fair, I assume it might not be entirely the same picture, as the RBAC split mode gives you better options for delegating limited control in Exchange RBAC. However, from the perspective of an attacker with control over an Exchange server\/admin, it seems the same.<\/p>\n<h3 id=\"02e1\" class=\"qo oc gt be od qp qq dx oh qr qs dz ol nm qt qu qv nq qw qx qy nu qz ra rb rc bj\">AD Split Permission Model<\/h3>\n<p id=\"f072\" class=\"pw-post-body-paragraph nb nc gt nd b ne oz ng nh ni pa nk nl nm pb no np nq pc ns nt nu pd nw nx ny gm bj\" data-selectable-paragraph=\"\">Microsoft writes this about the AD split model:<\/p>\n<blockquote class=\"re rf rg\">\n<p id=\"592b\" class=\"nb nc nz nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">\u201cSeveral changes are made to the permissions granted to the Exchange Trusted Subsystem and Exchange servers to limit what Exchange administrators and servers can do. \u2026 Exchange servers and the Exchange management tools can only modify the Exchange attributes of existing security principals in Active Directory.\u201d<\/p>\n<\/blockquote>\n<p id=\"fb7f\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">That is correct. The Exchange Windows Permissions group changes a lot with the AD split model:<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul class=\"\">\n<li id=\"1cc6\" class=\"nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny pe pf pg bj\" data-selectable-paragraph=\"\">The group is now empty; the Exchange Trusted Subsystem group is no longer a member<\/li>\n<li id=\"3cd2\" class=\"nb nc gt nd b ne ph ng nh ni pi nk nl nm pj no np nq pk ns nt nu pl nw nx ny pe pf pg bj\" data-selectable-paragraph=\"\">Inbound permissions on the group are limited to default privileged groups (i.e. Domain Admins, Enterprise Admins, etc.) meaning that Exchange Trusted Subsystem and Organization Management lost their permissions on the group<\/li>\n<li id=\"029f\" class=\"nb nc gt nd b ne ph ng nh ni pi nk nl nm pj no np nq pk ns nt nu pl nw nx ny pe pf pg bj\" data-selectable-paragraph=\"\">All ACEs assigned to the group are gone except for a single deny ACE on the domain<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p id=\"e782\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">The result of the AD split model is that the BloodHound attack paths from Exchange admins and Exchange servers to all users and groups with ACL inheritance enabled are effectively remediated. It is also worth noting that the Exchange no longer has permission to create AD users, groups, and computers (and some other classes), as Exchange Windows Permissions held that.<\/p>\n<p id=\"c213\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">You can see the full list of AD permissions removed in my AD lab (on non-Exchange AD objects) after the configuration of the AD split permission model, at\u00a0<a class=\"af oa\" href=\"https:\/\/github.com\/JonasBK\/Exchange-AD-ACL-testing\/tree\/main\/02%20AD%20split%20deployed%20diff\" target=\"_blank\" rel=\"noopener ugc nofollow\">Exchange-AD-ACL-testing\/02 AD split deployed diff<\/a>.<\/p>\n<p id=\"c032\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">There are still several AD permissions granted to the Exchange groups, even with the AD split permission model. In the next section, we will take a closer look at some of those.<\/p>\n<p>&nbsp;<\/p>\n<h2 id=\"8238\" class=\"ob oc gt be od oe of og oh oi oj ok ol om on oo op oq or os ot ou ov ow ox oy bj\">A Closer Look Into Exchange AD Permissions<\/h2>\n<p>&nbsp;<\/p>\n<p id=\"8dc2\" class=\"pw-post-body-paragraph nb nc gt nd b ne oz ng nh ni pa nk nl nm pb no np nq pc ns nt nu pd nw nx ny gm bj\" data-selectable-paragraph=\"\">The Exchange groups have several permissions on non-Exchange AD objects even if you deploy the Exchange AD split model. None of these permissions result in BloodHound edges, but some of them are still quite juicy.<\/p>\n<h3>Write Personal-Information Property Set<\/h3>\n<p>&nbsp;<\/p>\n<p id=\"3f62\" class=\"pw-post-body-paragraph nb nc gt nd b ne oz ng nh ni pa nk nl nm pb no np nq pc ns nt nu pd nw nx ny gm bj\" data-selectable-paragraph=\"\">The Exchange Trusted Subsystem group has permission to write to the\u00a0<code class=\"cw qk ql qm qc b\">Personal-Information<\/code>\u00a0property set on AdminSDHolder and on the domain object with ACL inheritance enabled:<\/p>\n<p data-selectable-paragraph=\"\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-8644 lazyload\" data-src=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2024\/04\/unnamed-file.png\" alt=\"\" width=\"693\" height=\"661\" data-srcset=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2024\/04\/unnamed-file.png 693w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2024\/04\/unnamed-file-300x286.png 300w\" data-sizes=\"(max-width: 693px) 100vw, 693px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 693px; --smush-placeholder-aspect-ratio: 693\/661;\" \/><\/p>\n<p id=\"9229\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">That means the group can write to the attributes of this property set on all AD objects the property set applies to.\u00a0<a class=\"af oa\" href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/adschema\/r-personal-information\" target=\"_blank\" rel=\"noopener ugc nofollow\">Microsoft\u2019s documentation for the Personal-Information property set<\/a>\u00a0defines the attributes that are part of the property set for different Windows versions. The\u00a0<code class=\"cw qk ql qm qc b\">msDS-AllowedToActOnBehalfOfOtherIdentity<\/code>\u00a0attribute is part of the property set for the latest Windows version in the documentation. AD security enthusiasts (like me) will know that write access to this attribute on a computer enables an attacker to compromise the host of the computer with an\u00a0<a class=\"af oa\" href=\"https:\/\/shenaniganslabs.io\/2019\/01\/28\/Wagging-the-Dog.html\" target=\"_blank\" rel=\"noopener ugc nofollow\"><em class=\"nz\">RBCD attack<\/em><\/a>. So it looks like Exchange Trusted Subsystem can compromise any host in the AD environment. I tested the attack, but when attempting to write to the\u00a0<code class=\"cw qk ql qm qc b\">msDS-AllowedToActOnBehalfOfOtherIdentity<\/code>\u00a0attribute, I got an \u201caccess denied\u201d error.<\/p>\n<figure class=\"pp pq pr ps pt pu pm pn paragraph-image\">\n<div class=\"pm pn ri\"><picture><source srcset=\"https:\/\/miro.medium.com\/v2\/resize:fit:640\/format:webp\/0*N1xWprm_PeciiAh4 640w, https:\/\/miro.medium.com\/v2\/resize:fit:720\/format:webp\/0*N1xWprm_PeciiAh4 720w, https:\/\/miro.medium.com\/v2\/resize:fit:750\/format:webp\/0*N1xWprm_PeciiAh4 750w, https:\/\/miro.medium.com\/v2\/resize:fit:786\/format:webp\/0*N1xWprm_PeciiAh4 786w, https:\/\/miro.medium.com\/v2\/resize:fit:828\/format:webp\/0*N1xWprm_PeciiAh4 828w, https:\/\/miro.medium.com\/v2\/resize:fit:1100\/format:webp\/0*N1xWprm_PeciiAh4 1100w, https:\/\/miro.medium.com\/v2\/resize:fit:800\/format:webp\/0*N1xWprm_PeciiAh4 800w\" type=\"image\/webp\" sizes=\"(min-resolution: 4dppx) and (max-width: 700px) 50vw, (-webkit-min-device-pixel-ratio: 4) and (max-width: 700px) 50vw, (min-resolution: 3dppx) and (max-width: 700px) 67vw, (-webkit-min-device-pixel-ratio: 3) and (max-width: 700px) 65vw, (min-resolution: 2.5dppx) and (max-width: 700px) 80vw, (-webkit-min-device-pixel-ratio: 2.5) and (max-width: 700px) 80vw, (min-resolution: 2dppx) and (max-width: 700px) 100vw, (-webkit-min-device-pixel-ratio: 2) and (max-width: 700px) 100vw, 400px\" \/><source srcset=\"https:\/\/miro.medium.com\/v2\/resize:fit:640\/0*N1xWprm_PeciiAh4 640w, https:\/\/miro.medium.com\/v2\/resize:fit:720\/0*N1xWprm_PeciiAh4 720w, https:\/\/miro.medium.com\/v2\/resize:fit:750\/0*N1xWprm_PeciiAh4 750w, https:\/\/miro.medium.com\/v2\/resize:fit:786\/0*N1xWprm_PeciiAh4 786w, https:\/\/miro.medium.com\/v2\/resize:fit:828\/0*N1xWprm_PeciiAh4 828w, https:\/\/miro.medium.com\/v2\/resize:fit:1100\/0*N1xWprm_PeciiAh4 1100w, https:\/\/miro.medium.com\/v2\/resize:fit:800\/0*N1xWprm_PeciiAh4 800w\" sizes=\"(min-resolution: 4dppx) and (max-width: 700px) 50vw, (-webkit-min-device-pixel-ratio: 4) and (max-width: 700px) 50vw, (min-resolution: 3dppx) and (max-width: 700px) 67vw, (-webkit-min-device-pixel-ratio: 3) and (max-width: 700px) 65vw, (min-resolution: 2.5dppx) and (max-width: 700px) 80vw, (-webkit-min-device-pixel-ratio: 2.5) and (max-width: 700px) 80vw, (min-resolution: 2dppx) and (max-width: 700px) 100vw, (-webkit-min-device-pixel-ratio: 2) and (max-width: 700px) 100vw, 400px\" data-testid=\"og\" \/><img decoding=\"async\" class=\"bg mi pv c\" role=\"presentation\" src=\"https:\/\/miro.medium.com\/v2\/resize:fit:800\/0*N1xWprm_PeciiAh4\" alt=\"\" width=\"400\" height=\"300\"><\/picture><\/div>\n<\/figure>\n<p id=\"1a64\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">The wiser AD security enthusiasts (in other words, not me) will know that the\u00a0<code class=\"cw qk ql qm qc b\">msDS-AllowedToActOnBehalfOfOtherIdentity<\/code>\u00a0attribute has moved to the\u00a0<code class=\"cw qk ql qm qc b\">User-Account-Restrictions<\/code><em class=\"nz\">\u00a0<\/em>property set as explained by\u00a0<a class=\"af oa\" href=\"https:\/\/twitter.com\/_dirkjan\" target=\"_blank\" rel=\"noopener ugc nofollow\">Dirk-jan Mollema<\/a>\u00a0in his\u00a0<a class=\"af oa\" href=\"https:\/\/dirkjanm.io\/abusing-forgotten-permissions-on-precreated-computer-objects-in-active-directory\/\" target=\"_blank\" rel=\"noopener ugc nofollow\">Abusing forgotten permissions on computer objects in Active Directory<\/a>\u00a0blog post. The Microsoft documentation only goes up to Windows Server 2012 and\u00a0<code class=\"cw qk ql qm qc b\">msDS-AllowedToActOnBehalfOfOtherIdentity<\/code>\u00a0moved after, which is why you cannot see the current property set of the attribute.<\/p>\n<p id=\"6c5a\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">To save others from the same disappointing feeling, I made a PowerShell script to print out all property sets of an AD environment named\u00a0<a class=\"af oa\" href=\"https:\/\/github.com\/JonasBK\/Powershell\/blob\/master\/Get-PropertySets.ps1\" target=\"_blank\" rel=\"noopener ugc nofollow\">Get-PropertySets.ps1<\/a>. The script also includes the output from my lab environment as a comment block, so you do not necessarily have to run it.<\/p>\n<h3 id=\"5593\" class=\"qo oc gt be od qp qq dx oh qr qs dz ol nm qt qu qv nq qw qx qy nu qz ra rb rc bj\">Write Public-Information PropertySet<\/h3>\n<p id=\"1b2d\" class=\"pw-post-body-paragraph nb nc gt nd b ne oz ng nh ni pa nk nl nm pb no np nq pc ns nt nu pd nw nx ny gm bj\" data-selectable-paragraph=\"\">The Exchange Trusted Subsystem group has the permission to write to the\u00a0<code class=\"cw qk ql qm qc b\">Public-Information<\/code>\u00a0property set on AdminSDHolder and on the domain object with ACL inheritance enabled, just like for the\u00a0<code class=\"cw qk ql qm qc b\">Personal-Information<\/code>\u00a0property set. The\u00a0<code class=\"cw qk ql qm qc b\">Public-Information<\/code>\u00a0property set contains the following attributes:<\/p>\n<pre class=\"pp pq pr ps pt qb qc qd bo qe ba bj\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-8646 lazyload\" data-src=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2024\/04\/Public-Information-attributes.png\" alt=\"\" width=\"687\" height=\"931\" data-srcset=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2024\/04\/Public-Information-attributes.png 687w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2024\/04\/Public-Information-attributes-221x300.png 221w\" data-sizes=\"(max-width: 687px) 100vw, 687px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 687px; --smush-placeholder-aspect-ratio: 687\/931;\" \/>\r\n<\/pre>\n<p id=\"f177\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">We will explore the ones that seemed interesting to me.<\/p>\n<h3 id=\"4c52\" class=\"qo oc gt be od qp qq dx oh qr qs dz ol nm qt qu qv nq qw qx qy nu qz ra rb rc bj\">Write Service-Principal-Name<\/h3>\n<p id=\"1e5e\" class=\"pw-post-body-paragraph nb nc gt nd b ne oz ng nh ni pa nk nl nm pb no np nq pc ns nt nu pd nw nx ny gm bj\" data-selectable-paragraph=\"\">Out of the list in the previous section, the\u00a0<code class=\"cw qk ql qm qc b\">Service-Principal-Name<\/code>\u00a0(SPN) attribute stands out. Write access to this attribute allows you to perform targeted\u00a0<a class=\"af oa\" href=\"https:\/\/attack.mitre.org\/techniques\/T1558\/003\/\" target=\"_blank\" rel=\"noopener ugc nofollow\"><em class=\"nz\">Kerberoasting<\/em><\/a><em class=\"nz\">.<\/em>\u00a0<a class=\"af oa\" href=\"https:\/\/github.com\/gdedrouas\" target=\"_blank\" rel=\"noopener ugc nofollow\">G\u00e9raud de Drouas<\/a>\u00a0has described this attack here:\u00a0<a class=\"af oa\" href=\"https:\/\/github.com\/gdedrouas\/Exchange-AD-Privesc\/blob\/master\/Write-Public-Information\/Write-Public-Information.md\" target=\"_blank\" rel=\"noopener ugc nofollow\">Write Public-Information ACE leads to Kerberoasting from Exchange security groups<\/a>.<\/p>\n<p id=\"31ce\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">However, as G\u00e9raud\u2019s article explains, Microsoft has added specific deny ACEs to block write access to the SPN attribute specifically:<\/p>\n<p data-selectable-paragraph=\"\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-8648 lazyload\" data-src=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2024\/04\/Bildschirmfoto-2024-04-02-um-14.56.57.png\" alt=\"\" width=\"694\" height=\"662\" data-srcset=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2024\/04\/Bildschirmfoto-2024-04-02-um-14.56.57.png 694w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2024\/04\/Bildschirmfoto-2024-04-02-um-14.56.57-300x286.png 300w\" data-sizes=\"(max-width: 694px) 100vw, 694px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 694px; --smush-placeholder-aspect-ratio: 694\/662;\" \/><\/p>\n<p id=\"39af\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">The deny ACEs mean the attack is prevented.<\/p>\n<h2 id=\"2a35\" class=\"qo oc gt be od qp qq dx oh qr qs dz ol nm qt qu qv nq qw qx qy nu qz ra rb rc bj\" data-selectable-paragraph=\"\">Write User-Principal-Name<\/h2>\n<p>&nbsp;<\/p>\n<p id=\"61c7\" class=\"pw-post-body-paragraph nb nc gt nd b ne oz ng nh ni pa nk nl nm pb no np nq pc ns nt nu pd nw nx ny gm bj\" data-selectable-paragraph=\"\">The\u00a0<code class=\"cw qk ql qm qc b\">User-Principal-Name<\/code>\u00a0(UPN) attribute is more interesting.\u00a0<a class=\"af oa\" href=\"https:\/\/medium.com\/@oliverlyak\" rel=\"noopener\" target=\"_blank\">Oliver Lyak<\/a>\u00a0demonstrated in the\u00a0<a class=\"af oa\" href=\"https:\/\/research.ifcr.dk\/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7\" target=\"_blank\" rel=\"noopener ugc nofollow\">ESC9 and ESC10 blog post<\/a>\u00a0how an attacker can abuse write access to this attribute of a controlled user or computer to compromise any user or computer in the AD forest. The ESC9 and ESC10 attacks with UPN abuse go like this:<\/p>\n<ol>\n<li style=\"list-style-type: none;\">\n<ol>\n<li style=\"list-style-type: none;\">\n<ol class=\"\">\n<li id=\"0e89\" class=\"nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny qn pf pg bj\" data-selectable-paragraph=\"\">Overwrite the UPN of an attacker-controlled principal (i.e., victim) to be either the\u00a0<code class=\"cw qk ql qm qc b\">SAM-Account-Name<\/code>\u00a0attribute of a targeted user or\u00a0<code class=\"cw qk ql qm qc b\">SAM-Account-Name@Domain.Name<\/code>\u00a0of a targeted computer<\/li>\n<li id=\"0aad\" class=\"nb nc gt nd b ne ph ng nh ni pi nk nl nm pj no np nq pk ns nt nu pl nw nx ny qn pf pg bj\" data-selectable-paragraph=\"\">Enroll for a certificate that allows for (client) authentication as the victim<\/li>\n<li id=\"c5a6\" class=\"nb nc gt nd b ne ph ng nh ni pi nk nl nm pj no np nq pk ns nt nu pl nw nx ny qn pf pg bj\" data-selectable-paragraph=\"\">Change the UPN of the victim to something else, such that it does not match the UPN in the certificate<\/li>\n<li id=\"c29a\" class=\"nb nc gt nd b ne ph ng nh ni pi nk nl nm pj no np nq pk ns nt nu pl nw nx ny qn pf pg bj\" data-selectable-paragraph=\"\">Authenticate as the targeted principal<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<p id=\"951d\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">Check out Oliver Lyak\u2019s blog post to see a demonstration of the attack.<\/p>\n<p id=\"9fe0\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">The key requirements for the attack depend on whether the attacker chooses Kerberos (PKINIT) or Schannel authentication. Kerberos authentication requirements:<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul class=\"\">\n<li id=\"8281\" class=\"nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny pe pf pg bj\" data-selectable-paragraph=\"\">A Domain Controller (DC) allows weak certificate mapping for Kerberos, meaning that the\u00a0<code class=\"cw qk ql qm qc b\">StrongCertificateBindingEnforcement<\/code>\u00a0DC registry key value is set to 0 or 1 (not 2)<br \/>\n&#8211; The default value is 1<br \/>\n&#8211; The 0 value has been interpreted as 1 (i.e., compatibility mode) since April 2023, as documented\u00a0<a class=\"af oa\" href=\"https:\/\/support.microsoft.com\/en-us\/topic\/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16\" target=\"_blank\" rel=\"noopener ugc nofollow\">here<\/a><br \/>\n&#8211; Strong certificate mapping will be enforced by\u00a0<a class=\"af oa\" href=\"https:\/\/support.microsoft.com\/en-us\/topic\/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16\" target=\"_blank\" rel=\"noopener ugc nofollow\">February 11, 2025<\/a><\/li>\n<li id=\"d66e\" class=\"nb nc gt nd b ne ph ng nh ni pi nk nl nm pj no np nq pk ns nt nu pl nw nx ny pe pf pg bj\" data-selectable-paragraph=\"\">The certificate does not include the SID extension, which requires the certificate template to contain the\u00a0<code class=\"cw qk ql qm qc b\">CT_FLAG_NO_SECURITY_EXTENSION<\/code>\u00a0flag in the\u00a0<code class=\"cw qk ql qm qc b\">msPKI-Enrollment-Flag<\/code>\u00a0attribute (not present by default)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p id=\"7045\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">Schannel authentication requirements:<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul class=\"\">\n<li id=\"f606\" class=\"nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny pe pf pg bj\" data-selectable-paragraph=\"\">A DC allows UPN (weak) certificate mapping for Schannel, meaning that the\u00a0<code class=\"cw qk ql qm qc b\">CertificateMappingMethods<\/code>\u00a0DC registry key value contains the UPN flag (i.e.,\u00a0<code class=\"cw qk ql qm qc b\">0x04<\/code>) (not present by default)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p id=\"a107\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">Members of the Exchange Trusted Subsystem group can abuse the write\u00a0<code class=\"cw qk ql qm qc b\">Public-Information<\/code>\u00a0permission to overwrite the UPN of their account and compromise any user or computer in the AD forest if the ESC9\/ESC10 requirements are met, even if you have configured Exchange in the AD split permission model; however, it does require that the AD environment has specific non-default and insecure AD Certificate Services (ADCS) configurations enabled.<\/p>\n<h2 id=\"57fe\" class=\"qo oc gt be od qp qq dx oh qr qs dz ol nm qt qu qv nq qw qx qy nu qz ra rb rc bj\" data-selectable-paragraph=\"\">Write Alt-Security-Identities<\/h2>\n<p>&nbsp;<\/p>\n<p id=\"6abf\" class=\"pw-post-body-paragraph nb nc gt nd b ne oz ng nh ni pa nk nl nm pb no np nq pc ns nt nu pd nw nx ny gm bj\" data-selectable-paragraph=\"\">The\u00a0<code class=\"cw qk ql qm qc b\">Public-Information<\/code>\u00a0property set also includes\u00a0<code class=\"cw qk ql qm qc b\">Alt-Security-Identities<\/code>, with the following Microsoft description: \u201c<em class=\"nz\">Contains mappings for X.509 certificates or external Kerberos user accounts to this user for the purpose of authentication\u201d.<\/em>\u00a0There is a more detailed description at\u00a0<a class=\"af oa\" href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/ad\/security-properties#altsecurityidentities\" target=\"_blank\" rel=\"noopener ugc nofollow\">User Security Attributes<\/a>\u00a0and\u00a0<a class=\"af oa\" href=\"https:\/\/support.microsoft.com\/en-us\/topic\/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16\" target=\"_blank\" rel=\"noopener ugc nofollow\">KB5014754 \u2014 Certificate-based authentication changes on Windows domain controllers<\/a>.<\/p>\n<p id=\"714b\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">The \u201cmappings\u201d you can add in the attribute are strings that follow a defined pattern. To map an external Kerberos user with the UPN\u00a0<code class=\"cw qk ql qm qc b\">Jeff.Smith@Fabrikam.com<\/code><em class=\"nz\">\u00a0<\/em>to a given user, you would have to add this mapping string:\u00a0<code class=\"cw qk ql qm qc b\">Kerberos:Jeff.Smith@Fabrikam.com<\/code>. The X.509 certificate mapping gives you options to use different property values of a certificate:<\/p>\n<figure class=\"pp pq pr ps pt pu pm pn paragraph-image\">\n<div class=\"px py fi pz bg qa\" tabindex=\"0\" role=\"button\">\n<div class=\"pm pn rj\"><picture><source srcset=\"https:\/\/miro.medium.com\/v2\/resize:fit:640\/format:webp\/0*3QkedfyMbcXgqGkD 640w, https:\/\/miro.medium.com\/v2\/resize:fit:720\/format:webp\/0*3QkedfyMbcXgqGkD 720w, https:\/\/miro.medium.com\/v2\/resize:fit:750\/format:webp\/0*3QkedfyMbcXgqGkD 750w, https:\/\/miro.medium.com\/v2\/resize:fit:786\/format:webp\/0*3QkedfyMbcXgqGkD 786w, https:\/\/miro.medium.com\/v2\/resize:fit:828\/format:webp\/0*3QkedfyMbcXgqGkD 828w, https:\/\/miro.medium.com\/v2\/resize:fit:1100\/format:webp\/0*3QkedfyMbcXgqGkD 1100w, https:\/\/miro.medium.com\/v2\/resize:fit:1400\/format:webp\/0*3QkedfyMbcXgqGkD 1400w\" type=\"image\/webp\" sizes=\"(min-resolution: 4dppx) and (max-width: 700px) 50vw, (-webkit-min-device-pixel-ratio: 4) and (max-width: 700px) 50vw, (min-resolution: 3dppx) and (max-width: 700px) 67vw, (-webkit-min-device-pixel-ratio: 3) and (max-width: 700px) 65vw, (min-resolution: 2.5dppx) and (max-width: 700px) 80vw, (-webkit-min-device-pixel-ratio: 2.5) and (max-width: 700px) 80vw, (min-resolution: 2dppx) and (max-width: 700px) 100vw, (-webkit-min-device-pixel-ratio: 2) and (max-width: 700px) 100vw, 700px\" \/><source srcset=\"https:\/\/miro.medium.com\/v2\/resize:fit:640\/0*3QkedfyMbcXgqGkD 640w, https:\/\/miro.medium.com\/v2\/resize:fit:720\/0*3QkedfyMbcXgqGkD 720w, https:\/\/miro.medium.com\/v2\/resize:fit:750\/0*3QkedfyMbcXgqGkD 750w, https:\/\/miro.medium.com\/v2\/resize:fit:786\/0*3QkedfyMbcXgqGkD 786w, https:\/\/miro.medium.com\/v2\/resize:fit:828\/0*3QkedfyMbcXgqGkD 828w, https:\/\/miro.medium.com\/v2\/resize:fit:1100\/0*3QkedfyMbcXgqGkD 1100w, https:\/\/miro.medium.com\/v2\/resize:fit:1400\/0*3QkedfyMbcXgqGkD 1400w\" sizes=\"(min-resolution: 4dppx) and (max-width: 700px) 50vw, (-webkit-min-device-pixel-ratio: 4) and (max-width: 700px) 50vw, (min-resolution: 3dppx) and (max-width: 700px) 67vw, (-webkit-min-device-pixel-ratio: 3) and (max-width: 700px) 65vw, (min-resolution: 2.5dppx) and (max-width: 700px) 80vw, (-webkit-min-device-pixel-ratio: 2.5) and (max-width: 700px) 80vw, (min-resolution: 2dppx) and (max-width: 700px) 100vw, (-webkit-min-device-pixel-ratio: 2) and (max-width: 700px) 100vw, 700px\" data-testid=\"og\" \/><img decoding=\"async\" class=\"bg mi pv c\" role=\"presentation\" src=\"https:\/\/miro.medium.com\/v2\/resize:fit:1400\/0*3QkedfyMbcXgqGkD\" alt=\"\" width=\"700\" height=\"415\"><\/picture><\/div>\n<\/div>\n<\/figure>\n<p id=\"b456\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">These X.509 certificate mappings are known as\u00a0<em class=\"nz\">explicit certificate mappings<\/em>, as you explicitly define mapping instead of letting the DC implicitly find the matching principal based on UPN or the\u00a0<code class=\"cw qk ql qm qc b\">SAM-Account-Name<\/code>\u00a0value.<\/p>\n<p id=\"e7ca\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">Before you get too excited, there are two deny write access to\u00a0<code class=\"cw qk ql qm qc b\">Alt-Security-Identities<\/code>\u00a0ACEs in place on the domain object and AdminSDHolder, targeting Exchange Trusted Subsystem:<\/p>\n<p data-selectable-paragraph=\"\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-8650 lazyload\" data-src=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2024\/04\/Bildschirmfoto-2024-04-02-um-14.59.14.png\" alt=\"\" width=\"694\" height=\"667\" data-srcset=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2024\/04\/Bildschirmfoto-2024-04-02-um-14.59.14.png 694w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2024\/04\/Bildschirmfoto-2024-04-02-um-14.59.14-300x288.png 300w\" data-sizes=\"(max-width: 694px) 100vw, 694px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 694px; --smush-placeholder-aspect-ratio: 694\/667;\" \/><\/p>\n<p id=\"6d05\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">What is interesting, though, is that they apply to the current object and descendant computer objects only. That means that Exchange Trusted Subsystems can still write to\u00a0<code class=\"cw qk ql qm qc b\">Alt-Security-Identities<\/code>\u00a0of all users with ACL inheritance enabled (e.g., not AdminSDHolder protected). Let us see what that allows us to do.<\/p>\n<p id=\"c3c1\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\"><strong class=\"nd gu\">Kerberos Explicit Mapping<br \/>\n<\/strong>It seems like it was possible to abuse the Kerberos explicit mapping before the\u00a0<a class=\"af oa\" href=\"https:\/\/support.microsoft.com\/en-us\/topic\/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041\" target=\"_blank\" rel=\"noopener ugc nofollow\">No PAC patch<\/a>.\u00a0<a class=\"af oa\" href=\"https:\/\/twitter.com\/exploitph\" target=\"_blank\" rel=\"noopener ugc nofollow\">Charlie Clark<\/a>\u00a0demonstrates in his\u00a0<a class=\"af oa\" href=\"https:\/\/exploit.ph\/cve-2021-42287-cve-2021-42278-weaponisation.html\" target=\"_blank\" rel=\"noopener ugc nofollow\">CVE-2021\u201342287\/CVE-2021\u201342278 Weaponisation<\/a>\u00a0blog post how an attacker in one domain with write permission on\u00a0<code class=\"cw qk ql qm qc b\">Alt-Security-Identities<\/code>\u00a0of a target user in another domain allows the attacker to compromise the target user with the following steps:<\/p>\n<ol>\n<li style=\"list-style-type: none;\">\n<ol>\n<li style=\"list-style-type: none;\">\n<ol class=\"\">\n<li id=\"b9a2\" class=\"nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny qn pf pg bj\" data-selectable-paragraph=\"\">Add the \u201c<code class=\"cw qk ql qm qc b\">Kerberos:Jeff.Smith@Fabrikam.com<\/code>\u201d mapping string to the\u00a0<code class=\"cw qk ql qm qc b\">Alt-Security-Identities<\/code>\u00a0attribute of the target user with the UPN of the attacker user<\/li>\n<li id=\"4ddb\" class=\"nb nc gt nd b ne ph ng nh ni pi nk nl nm pj no np nq pk ns nt nu pl nw nx ny qn pf pg bj\" data-selectable-paragraph=\"\">Request a Kerberos Ticket-Granting Ticket (TGT) with no Privilege Attribute Certificate (PAC) as the attacker user from its local domain<\/li>\n<li id=\"96e0\" class=\"nb nc gt nd b ne ph ng nh ni pi nk nl nm pj no np nq pk ns nt nu pl nw nx ny qn pf pg bj\" data-selectable-paragraph=\"\">Use the TGT to request an inter-realm TGT to the domain of the targeted user<\/li>\n<li id=\"95fa\" class=\"nb nc gt nd b ne ph ng nh ni pi nk nl nm pj no np nq pk ns nt nu pl nw nx ny qn pf pg bj\" data-selectable-paragraph=\"\">Use the inter-realm TGT to request a service ticket for the domain of the targeted user<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<p id=\"c0c9\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">The service ticket received in the last step contains the PAC of the targeted user and enables the attacker to impersonate the targeted user.<\/p>\n<p id=\"318c\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">The \u201cNo PAC\u201d patch made it impossible to get a TGT without a PAC from an AD Kerberos Key Distribution Center (KDC). I attempted to execute the attack in a patched environment where the TGT had a PAC and it did not work, however, I assume that it is possible to pull off the attack from a non-Windows KDC realm with inbound trust from the AD domain of the target user, as it should be possible to obtain a TGT with no PAC from there.<\/p>\n<p id=\"95e9\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\"><strong class=\"nd gu\">X.509 Certificate Explicit Mapping<br \/>\n<\/strong>An explicit certificate mapping is a reference to a certificate. Anyone with a certificate matching the reference of a principal\u2019s explicit certificate mapping can use their certificate to authenticate as the principal. An attacker can therefore abuse write access to the\u00a0<code class=\"cw qk ql qm qc b\">Alt-Security-Identities<\/code>\u00a0attribute of an AD user to add an explicit certificate mapping referring to a certificate in the attacker\u2019s possession, and then use this certificate to authenticate as that user.<\/p>\n<p id=\"cc35\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">This abuse technique was first documented in 2019, where\u00a0<a class=\"af oa\" href=\"https:\/\/github.com\/gdedrouas\" target=\"_blank\" rel=\"noopener ugc nofollow\">G\u00e9raud de Drouas<\/a>\u00a0described how an attacker that has compromised on-premises Exchange can perform the attack, on this GitHub page:\u00a0<a class=\"af oa\" href=\"https:\/\/github.com\/gdedrouas\/Exchange-AD-Privesc\/blob\/master\/Alt-Security-Identities\/Alt-Security-Identities.md\" target=\"_blank\" rel=\"noopener ugc nofollow\">Public-Information property set includes Alt-Security-Identities, allows x509 certificate mapping to privileged users<\/a>. Additionally,\u00a0<a class=\"af oa\" href=\"https:\/\/twitter.com\/iansus\" target=\"_blank\" rel=\"noopener ugc nofollow\">Jean Marsault<\/a>\u00a0has demonstrated the attack in the\u00a0<a class=\"af oa\" href=\"https:\/\/www.riskinsight-wavestone.com\/en\/2021\/06\/microsoft-adcs-abusing-pki-in-active-directory-environment\/#section-3-4\" target=\"_blank\" rel=\"noopener ugc nofollow\">Microsoft ADCS \u2014 Abusing PKI in Active Directory Environment<\/a>\u00a0blog post under the section named \u201c<em class=\"nz\">ACL exploit on user objects (1)<\/em>\u201d. I have recently also looked into the abuse technique and published a blog post about it here:\u00a0<a class=\"af oa\" href=\"https:\/\/posts.specterops.io\/adcs-esc14-abuse-technique-333a004dc2b9\" target=\"_blank\" rel=\"noopener ugc nofollow\">ADCS ESC14 Abuse Technique<\/a>.<\/p>\n<p id=\"796a\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">An attacker can execute the attack with the following steps:<\/p>\n<ol>\n<li style=\"list-style-type: none;\">\n<ol>\n<li style=\"list-style-type: none;\">\n<ol class=\"\">\n<li id=\"2df9\" class=\"nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny qn pf pg bj\" data-selectable-paragraph=\"\">Enroll a certificate in a certificate template that allows for (client) authentication<\/li>\n<li id=\"4619\" class=\"nb nc gt nd b ne ph ng nh ni pi nk nl nm pj no np nq pk ns nt nu pl nw nx ny qn pf pg bj\" data-selectable-paragraph=\"\">Add a (strong) explicit certificate mapping based on the certificate in the\u00a0<code class=\"cw qk ql qm qc b\">Alt-Security-Identities<\/code>\u00a0attribute of the target principal<\/li>\n<li id=\"8e1e\" class=\"nb nc gt nd b ne ph ng nh ni pi nk nl nm pj no np nq pk ns nt nu pl nw nx ny qn pf pg bj\" data-selectable-paragraph=\"\">Authenticate as the target principal using the certificate<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<p id=\"ffd8\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">The\u00a0<a class=\"af oa\" href=\"https:\/\/posts.specterops.io\/adcs-esc14-abuse-technique-333a004dc2b9\" target=\"_blank\" rel=\"noopener ugc nofollow\">ADCS ESC14 Abuse Technique<\/a>\u00a0blog post describes the details of the requirements and includes a demonstration of the attack. An attacker can even abuse certificate templates configured for computer enrollment to compromise users. In a default environment, the attack is therefore possible using the\u00a0<em class=\"nz\">Computer<\/em>\u00a0<em class=\"nz\">(Machine)<\/em>\u00a0certificate template, which grants \u201cEnroll\u201d permission to the\u00a0<em class=\"nz\">Domain Computers\u00a0<\/em>group.<\/p>\n<p id=\"f3e7\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\"><strong class=\"nd gu\">This means that an attacker with control over an Exchange admin or Exchange server can compromise any AD user with ACL inheritance enabled, even if you have configured Exchange in the AD split permission model.<\/strong><\/p>\n<p id=\"facc\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">An attacker who cannot enroll any certificates in the environment may even still be able to execute the attack.\u00a0<a class=\"af oa\" href=\"https:\/\/www.linkedin.com\/in\/hans-joachim-knobloch-165527267\/\" target=\"_blank\" rel=\"noopener ugc nofollow\">Hans-Joachim Knobloch<\/a>\u00a0explained in\u00a0<a class=\"af oa\" href=\"https:\/\/www.linkedin.com\/feed\/update\/urn:li:activity:7168697973026107392?commentUrn=urn%3Ali%3Acomment%3A%28activity%3A7168697973026107392%2C7169343075184558080%29&amp;dashCommentUrn=urn%3Ali%3Afsd_comment%3A%287169343075184558080%2Curn%3Ali%3Aactivity%3A7168697973026107392%29\" target=\"_blank\" rel=\"noopener ugc nofollow\">a LinkedIn thread<\/a>\u00a0that the KDC does not require that the DC trusts the issuer of a certificate for NT authentication when performing\u00a0<em class=\"nz\">X509IssuerSubject<\/em>,\u00a0<em class=\"nz\">X509IssuerSerialNumber<\/em>,\u00a0<em class=\"nz\">X509SKI<\/em>, or\u00a0<em class=\"nz\">X509SHA1PublicKey<\/em>\u00a0explicit certificate mapping. Microsoft has visualized this behavior in a flow chart in the\u00a0<a class=\"af oa\" href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/security\/identity-protection\/smart-cards\/smart-card-certificate-requirements-and-enumeration#certificate-processing-logic\" target=\"_blank\" rel=\"noopener ugc nofollow\">Certificate processing logic<\/a>\u00a0documentation and Hans has discussed it in a very interesting blog post here:<a class=\"af oa\" href=\"https:\/\/pkiblog.knobloch.info\/nilpferde-ndes-und-goldene-zertifikate-als-schluessel-zum-ad\" target=\"_blank\" rel=\"noopener ugc nofollow\">\u00a0Nilpferde, NDES und goldene Zertifikate als Schl\u00fcssel zum AD<\/a>. It means that an attacker can potentially use a certificate of one of the many public root CAs that DCs trust by default in an attack, eliminating the need for enrollment rights in the AD environment.<\/p>\n<h2 id=\"cb22\" class=\"ob oc gt be od oe of og oh oi oj ok ol om on oo op oq or os ot ou ov ow ox oy bj\">Reduce Exchange\u2019s Permissions in AD<\/h2>\n<p>&nbsp;<\/p>\n<p id=\"16ac\" class=\"pw-post-body-paragraph nb nc gt nd b ne oz ng nh ni pa nk nl nm pb no np nq pc ns nt nu pd nw nx ny gm bj\" data-selectable-paragraph=\"\">If you (as an organization) are not using Exchange on-premises anymore (e.g. you are only using Exchange Online \u2014 not hybrid), then you should get rid of Exchange on-premises. Microsoft has provided some guidance on decommissioning Exchange servers:\u00a0<a class=\"af oa\" href=\"https:\/\/learn.microsoft.com\/en-us\/exchange\/decommission-on-premises-exchange\" target=\"_blank\" rel=\"noopener ugc nofollow\">How and when to decommission your on-premises Exchange servers in a hybrid deployment<\/a>. After you have decommissioned the Exchange servers, then you need to clean up the AD Exchange groups manually. There is a detailed guide provided by\u00a0<a class=\"af oa\" href=\"https:\/\/www.alitajran.com\/\" target=\"_blank\" rel=\"noopener ugc nofollow\">Ali Tajran<\/a>\u00a0here:\u00a0<a class=\"af oa\" href=\"https:\/\/www.alitajran.com\/how-to-remove-exchange-from-active-directory\/\" target=\"_blank\" rel=\"noopener ugc nofollow\">How to remove Exchange from Active Directory<\/a>.<\/p>\n<p id=\"7d58\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">If you do need Exchange on-premises, you can instead limit the AD permissions of Exchange. It is difficult to come up with a generic minimal set of AD permissions for the Exchange AD groups, as the usage of Exchange varies across organizations; however, it should be possible to identify what users and groups Exchange does\u00a0<strong class=\"nd gu\">not<\/strong>\u00a0need any permissions on at all. Exchange should not need permissions on most if not all service accounts, admin users, and admin groups. Admin users do have mailboxes in some organizations. You should avoid that by implementing\u00a0<a class=\"af oa\" href=\"https:\/\/learn.microsoft.com\/en-us\/security\/privileged-access-workstations\/critical-impact-accounts#separate-accounts-for-admins\" target=\"_blank\" rel=\"noopener ugc nofollow\">separate accounts for admins<\/a>, to avoid exposing admin users to email attacks like phishing. An employee with a role that requires privileged (admin) access should get a separate admin account without a mailbox for their privileged access in addition to their regular work account with a mailbox.<\/p>\n<p id=\"2e55\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">There are multiple ways to prevent the Exchange AD permissions of the domain object from being applied to a given set of objects:<\/p>\n<ol>\n<li style=\"list-style-type: none;\">\n<ol>\n<li style=\"list-style-type: none;\">\n<ol class=\"\">\n<li id=\"42b4\" class=\"nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny qn pf pg bj\" data-selectable-paragraph=\"\"><strong class=\"nd gu\">Move Exchange ACEs to the right OUs (recommended)<br \/>\n<\/strong>You can move all the AD permissions the Exchange groups have on the AD domain object to the OUs where you have the groups and users relevant to Exchange. Practically, you have to add the ACEs on the OUs and then delete them from the domain object. You should confirm on the child users and computers that their ACLs are the same, and that ACL precedence (documented\u00a0<a class=\"af oa\" href=\"https:\/\/www.ntfs.com\/ntfs-permissions-precedence.htm\" target=\"_blank\" rel=\"noopener ugc nofollow\">here<\/a>) has not caused a change.<\/li>\n<li id=\"933b\" class=\"nb nc gt nd b ne ph ng nh ni pi nk nl nm pj no np nq pk ns nt nu pl nw nx ny qn pf pg bj\" data-selectable-paragraph=\"\"><strong class=\"nd gu\">Block ACL inheritance on admin OUs<br \/>\n<\/strong>It is common practice when implementing AD tiering to create a Tier Zero OU with inheritance disabled, such that permissions configured on the AD domain object will not apply to Tier Zero objects. This concept works as well for protecting AD objects against Exchange permissions. The disadvantage of blocking inheritance is that it becomes more complex to figure out where permissions apply in the environment.<\/li>\n<li id=\"3285\" class=\"nb nc gt nd b ne ph ng nh ni pi nk nl nm pj no np nq pk ns nt nu pl nw nx ny qn pf pg bj\" data-selectable-paragraph=\"\"><strong class=\"nd gu\">Implement deny ACEs (not recommended)<\/strong><br \/>\nYou could implement deny ACEs on admin OUs to block the permissions granted to the Exchange groups. ACL precedence is tricky, especially because explicit allow ACEs take precedence over inherited deny. To keep ACLs as simple as possible, I recommend avoiding deny ACEs.<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<figure class=\"pp pq pr ps pt pu pm pn paragraph-image\">\n<div class=\"px py fi pz bg qa\" tabindex=\"0\" role=\"button\">\n<div class=\"pm pn pw\"><picture><source srcset=\"https:\/\/miro.medium.com\/v2\/resize:fit:640\/format:webp\/0*Mv1CWdM3M6Vmq3NQ 640w, https:\/\/miro.medium.com\/v2\/resize:fit:720\/format:webp\/0*Mv1CWdM3M6Vmq3NQ 720w, https:\/\/miro.medium.com\/v2\/resize:fit:750\/format:webp\/0*Mv1CWdM3M6Vmq3NQ 750w, https:\/\/miro.medium.com\/v2\/resize:fit:786\/format:webp\/0*Mv1CWdM3M6Vmq3NQ 786w, https:\/\/miro.medium.com\/v2\/resize:fit:828\/format:webp\/0*Mv1CWdM3M6Vmq3NQ 828w, https:\/\/miro.medium.com\/v2\/resize:fit:1100\/format:webp\/0*Mv1CWdM3M6Vmq3NQ 1100w, https:\/\/miro.medium.com\/v2\/resize:fit:1400\/format:webp\/0*Mv1CWdM3M6Vmq3NQ 1400w\" type=\"image\/webp\" sizes=\"(min-resolution: 4dppx) and (max-width: 700px) 50vw, (-webkit-min-device-pixel-ratio: 4) and (max-width: 700px) 50vw, (min-resolution: 3dppx) and (max-width: 700px) 67vw, (-webkit-min-device-pixel-ratio: 3) and (max-width: 700px) 65vw, (min-resolution: 2.5dppx) and (max-width: 700px) 80vw, (-webkit-min-device-pixel-ratio: 2.5) and (max-width: 700px) 80vw, (min-resolution: 2dppx) and (max-width: 700px) 100vw, (-webkit-min-device-pixel-ratio: 2) and (max-width: 700px) 100vw, 700px\" \/><source srcset=\"https:\/\/miro.medium.com\/v2\/resize:fit:640\/0*Mv1CWdM3M6Vmq3NQ 640w, https:\/\/miro.medium.com\/v2\/resize:fit:720\/0*Mv1CWdM3M6Vmq3NQ 720w, https:\/\/miro.medium.com\/v2\/resize:fit:750\/0*Mv1CWdM3M6Vmq3NQ 750w, https:\/\/miro.medium.com\/v2\/resize:fit:786\/0*Mv1CWdM3M6Vmq3NQ 786w, https:\/\/miro.medium.com\/v2\/resize:fit:828\/0*Mv1CWdM3M6Vmq3NQ 828w, https:\/\/miro.medium.com\/v2\/resize:fit:1100\/0*Mv1CWdM3M6Vmq3NQ 1100w, https:\/\/miro.medium.com\/v2\/resize:fit:1400\/0*Mv1CWdM3M6Vmq3NQ 1400w\" sizes=\"(min-resolution: 4dppx) and (max-width: 700px) 50vw, (-webkit-min-device-pixel-ratio: 4) and (max-width: 700px) 50vw, (min-resolution: 3dppx) and (max-width: 700px) 67vw, (-webkit-min-device-pixel-ratio: 3) and (max-width: 700px) 65vw, (min-resolution: 2.5dppx) and (max-width: 700px) 80vw, (-webkit-min-device-pixel-ratio: 2.5) and (max-width: 700px) 80vw, (min-resolution: 2dppx) and (max-width: 700px) 100vw, (-webkit-min-device-pixel-ratio: 2) and (max-width: 700px) 100vw, 700px\" data-testid=\"og\" \/><img decoding=\"async\" class=\"bg mi pv c\" role=\"presentation\" src=\"https:\/\/miro.medium.com\/v2\/resize:fit:1400\/0*Mv1CWdM3M6Vmq3NQ\" alt=\"\" width=\"700\" height=\"470\"><\/picture><\/div>\n<\/div><figcaption class=\"rk fe rl pm pn rm rn be b bf z dt\" data-selectable-paragraph=\"\">Yes, I used the same meme in my previous blog post. I really mean it!<\/figcaption><\/figure>\n<p id=\"d946\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">The above recommendations are valid for Exchange configured in any permission model. For more details on how to build an OU structure and configure ACLs to prevent ACL-based attacks, check out the talk\u00a0<a class=\"af oa\" href=\"https:\/\/www.linkedin.com\/in\/alexander-schmitt1337\/overlay\/about-this-profile\/\" target=\"_blank\" rel=\"noopener ugc nofollow\">Alexander Schmitt<\/a>\u00a0and I gave at Troopers last year:\u00a0<a class=\"af oa\" href=\"https:\/\/youtu.be\/4aQZUdpmQno?si=bPLzZ47dvYEdG-5M\" target=\"_blank\" rel=\"noopener ugc nofollow\">Hidden Pathways \u2014 Exploring the Anatomy of ACL-Based Active Directory Attacks and Building Strong Defenses<\/a>.<\/p>\n<p id=\"f23c\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\"><em class=\"nz\">EDIT: Note that Microsoft does not support the solutions above. They write: \u201c<\/em><a class=\"af oa\" href=\"https:\/\/learn.microsoft.com\/en-us\/exchange\/permissions\/permissions?view=exchserver-2019\" target=\"_blank\" rel=\"noopener ugc nofollow\"><em class=\"nz\">Disabling permissions inheritance on Active Directory (AD) objects, in an AD domain that is prepared to host Exchange, isn\u2019t supported. The removal of Exchange-related permissions on AD objects will cause Exchange tasks and functions to break or may lead to unknown issues.<\/em><\/a><em class=\"nz\">\u201d. Microsoft does not want to help you troubleshoot why your Exchange is broken when you have deleted its permissions in AD. But that should not stop you from protecting AD principals Exchange should not be in control of. As mentioned earlier, Microsoft does in fact recommend disabling ACL inheritance on the Microsoft Entra Connect service account.<\/em><\/p>\n<p id=\"f00a\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\"><em class=\"nz\">You should also be aware that future updates for Exchange may change Exchange\u2019s permissions in AD. Microsoft usually describes in the update notes what AD changes the update makes, but they are not always precise. It is therefore a good practice after you install an Exchange update to check that the customization you have implemented is still in place and the update has not granted additional undesired permissions to Exchange groups.<\/em><\/p>\n<p id=\"bcf7\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">If you configure Exchange to the AD split model, Exchange will not have the same compromising permissions as the two other permission models.\u00a0<strong class=\"nd gu\">I therefore highly recommend considering the AD split model<\/strong>. I have limited knowledge about Exchange admin work and I do not know\u00a0<em class=\"nz\">how<\/em>\u00a0big of a challenge it is for Exchange admins to adapt to the AD split model, but I have heard that it requires an effort. I recommend checking out\u00a0<a class=\"af oa\" href=\"https:\/\/learn.microsoft.com\/en-us\/exchange\/permissions\/split-permissions\/configure-exchange-for-split-permissions?view=exchserver-2019#switch-to-active-directory-split-permissions\" target=\"_blank\" rel=\"noopener ugc nofollow\">Switch to Active Directory split permissions<\/a>\u00a0by Microsoft and this\u00a0<a class=\"af oa\" href=\"https:\/\/www.linkedin.com\/company\/teal-technology-consulting-gmbh\/\" target=\"_blank\" rel=\"noopener ugc nofollow\">TEAL<\/a>\u00a0blog post that explains how to configure some of the permissions you might need to configure:\u00a0<a class=\"af oa\" href=\"https:\/\/www.teal-consulting.de\/en\/2023\/05\/15\/exchange-split-permission\/\" target=\"_blank\" rel=\"noopener ugc nofollow\">Exchange Split Permission \u2014 AD Permissions and Processes<\/a>.<\/p>\n<p id=\"1aa2\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">If you choose to not go for the AD split model, then consider if you can reduce any of the three compromising permissions described in the\u00a0<a class=\"af oa\" href=\"https:\/\/posts.specterops.io\/pwned-by-the-mail-carrier-0750edfad43b#1251\" rel=\"noopener ugc nofollow\" target=\"_blank\"><em class=\"nz\">What Can Exchange Do Today, BloodHound?<\/em><\/a>\u00a0section. For example, it might not be necessary for Exchange to be able to reset the password of regular users, even if they have a mailbox.<\/p>\n<p id=\"9e9d\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">Reducing the Exchange Trusted Subsystem group\u2019s write permission to the\u00a0<code class=\"cw qk ql qm qc b\">Alt-Security-Identities<\/code>\u00a0attribute on users is tricky, as the permission is granted through write access to the\u00a0<code class=\"cw qk ql qm qc b\">Public-Information<\/code>\u00a0property set. To avoid deny ACEs, you could replace write access to the property set with write access to the individual attributes in the property set; however, that will increase the number of ACEs significantly for a large property set like\u00a0<code class=\"cw qk ql qm qc b\">Public-Information<\/code>. Attributes can only belong to a single property set, so creating a custom property set containing a subset of an original property set is not an option unless you remove the attributes from the original one. The best solution, as I see it, is therefore modifying the existing deny write to\u00a0<code class=\"cw qk ql qm qc b\">Alt-Security-Identities<\/code>\u00a0ACE for Exchange Trusted Subsystem on the domain object to hit objects of all classes instead of only computers. You can use this PowerShell script to check what users have the attribute set to get an idea of the usage of the attribute in the organization before you implement changes:\u00a0<a class=\"af oa\" href=\"https:\/\/github.com\/JonasBK\/Powershell\/blob\/master\/Get-AltSecIDMapping.ps1\" target=\"_blank\" rel=\"noopener ugc nofollow\">Get-AltSecIDMapping.ps1<\/a>.<\/p>\n<p id=\"40ad\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">Lastly, you should also check what non-default AD permissions Exchange has gained over the years. Exchange typically has compromising permissions configured directly on the users, computers, and groups Exchange has created in AD. You can use this Cypher query in BloodHound to find outbound ACL edges made from non-inherited ACEs from Exchange groups to AD objects outside the Exchange OUs and containers:<\/p>\n<pre class=\"pp pq pr ps pt qb qc qd bo qe ba bj\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-8652 lazyload\" data-src=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2024\/04\/Bildschirmfoto-2024-04-02-um-15.00.45.png\" alt=\"\" width=\"692\" height=\"173\" data-srcset=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2024\/04\/Bildschirmfoto-2024-04-02-um-15.00.45.png 692w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2024\/04\/Bildschirmfoto-2024-04-02-um-15.00.45-300x75.png 300w\" data-sizes=\"(max-width: 692px) 100vw, 692px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 692px; --smush-placeholder-aspect-ratio: 692\/173;\" \/><\/pre>\n<p id=\"9da6\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">Do involve your Exchange admins in the process of reducing the AD permissions of Exchange, as they can help you determine what permissions are necessary and check that things are working as expected after you apply changes. I also recommend that you document permissions before and after the change and prepare a way to restore removed permissions in case something breaks (e.g., using a script).<\/p>\n<p id=\"09f4\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">If you do not feel like reducing the AD permissions of Exchange at all, then you should consider the Exchange AD groups Exchange Windows Permissions and Exchange Trusted Subsystem as Tier Zero; however, I do advise against that. Exchange servers in Tier Zero increase the attack surface of Tier Zero and that means that you should restrict access to the Exchange servers in the same way you do DCs.<\/p>\n<p>&nbsp;<\/p>\n<h2 id=\"947d\" class=\"ob oc gt be od oe of og oh oi oj ok ol om on oo op oq or os ot ou ov ow ox oy bj\">Conclusion<\/h2>\n<p>&nbsp;<\/p>\n<p id=\"a7cf\" class=\"pw-post-body-paragraph nb nc gt nd b ne oz ng nh ni pa nk nl nm pb no np nq pc ns nt nu pd nw nx ny gm bj\" data-selectable-paragraph=\"\">This blog post has explored the compromising AD permissions of Microsoft Exchange and we have assessed the Exchange permission models (i.e., shared, RBAC split, and AD split). We have found that the shared model and the RBAC split model allow an attacker who has compromised an Exchange admin or Exchange server to add themself to any AD group and compromise (takeover) any AD user unless disabled ACL inheritance protects the targeted group or user. Furthermore, we have found that an Exchange admin can compromise the same users using explicit certificate mapping abuse (ESC14) and that this attack is even possible in the more strict AD split model.<\/p>\n<p id=\"e0e3\" class=\"pw-post-body-paragraph nb nc gt nd b ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny gm bj\" data-selectable-paragraph=\"\">It is possible to limit the AD permissions of Exchange. You can change Exchange to use the AD split model and thereby resolve the compromising AD Exchange permissions except the one allowing ESC14, which you can remediate as a separate effort. AD split model or not, you can also limit the scope of users and groups Exchange has permissions over; for example, by moving the permission from the domain object to the OUs containing users and groups where Exchange actually needs permissions.<\/p>\n[\/vc_column_text][vc_empty_space height=&#8221;20&#8243;][\/vc_column_inner][\/vc_row_inner][\/vc_column][\/vc_row][vc_row css_animation=&#8221;&#8221; row_type=&#8221;row&#8221; use_row_as_full_screen_section=&#8221;no&#8221; type=&#8221;full_width&#8221; angled_section=&#8221;no&#8221; text_align=&#8221;left&#8221; background_image_as_pattern=&#8221;without_pattern&#8221;][vc_column][vc_empty_space height=&#8221;100&#8243;][vc_raw_html]JTNDYSUyMGhyZWYlM0QlMjJqYXZhc2NyaXB0JTNBaGlzdG9yeS5iYWNrJTI4JTI5JTIyJTNFJTNDc3BhbiUyMHN0eWxlJTNEJTIyY29sb3IlM0ElMjAlMjNmZjIwNzAlM0IlMjIlM0UlM0MlM0MlMjBCYWNrJTNDJTJGc3BhbiUzRSUzQyUyRmElM0U=[\/vc_raw_html][vc_empty_space height=&#8221;50&#8243;][vc_separator type=&#8221;small&#8221; position=&#8221;center&#8221; color=&#8221;#eeeeee&#8221; thickness=&#8221;2&#8243; width=&#8221;1100&#8243;][vc_empty_space height=&#8221;50&#8243;][\/vc_column][\/vc_row][vc_row css_animation=&#8221;&#8221; row_type=&#8221;row&#8221; use_row_as_full_screen_section=&#8221;no&#8221; type=&#8221;full_width&#8221; angled_section=&#8221;no&#8221; text_align=&#8221;left&#8221; background_image_as_pattern=&#8221;without_pattern&#8221;][vc_column][vc_empty_space height=&#8221;30&#8243;][vc_column_text]\n<h4>LATEST POSTS<\/h4>\n[\/vc_column_text][vc_empty_space height=&#8221;30&#8243;]\n<div class='latest_post_holder boxes three_columns one_row' >\n    <ul>\n    \n        <li class=\"clearfix\">\n            <div class=\"boxes_image\">\n                                <a itemprop=\"url\" href=\"https:\/\/www.teal-consulting.de\/en\/2026\/04\/01\/logging-in-instead-of-breaking-in\/\"><img decoding=\"async\" width=\"539\" height=\"303\" data-src=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2023\/03\/blog_headerbild_teal_krux-mit-der-KI_AI-539x303.jpg\" class=\"attachment-latest_post_boxes size-latest_post_boxes wp-post-image lazyload\" alt=\"\" data-srcset=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2023\/03\/blog_headerbild_teal_krux-mit-der-KI_AI-539x303.jpg 539w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2023\/03\/blog_headerbild_teal_krux-mit-der-KI_AI-300x169.jpg 300w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2023\/03\/blog_headerbild_teal_krux-mit-der-KI_AI-1024x575.jpg 1024w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2023\/03\/blog_headerbild_teal_krux-mit-der-KI_AI-768x432.jpg 768w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2023\/03\/blog_headerbild_teal_krux-mit-der-KI_AI-1536x863.jpg 1536w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2023\/03\/blog_headerbild_teal_krux-mit-der-KI_AI-700x393.jpg 700w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2023\/03\/blog_headerbild_teal_krux-mit-der-KI_AI.jpg 1920w\" data-sizes=\"(max-width: 539px) 100vw, 539px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 539px; --smush-placeholder-aspect-ratio: 539\/303;\"><\/a>\n            <\/div>\n            <div class=\"latest_post\"  >\n                <div class=\"latest_post_text\">\n                    <div class=\"latest_post_inner\">\n                        <div class=\"latest_post_text_inner\">\n                            <h4 itemprop=\"name\" class=\"latest_post_title entry_title\"><a itemprop=\"url\" href=\"https:\/\/www.teal-consulting.de\/en\/2026\/04\/01\/logging-in-instead-of-breaking-in\/\">\u201cLogging In Instead of Breaking In\u201d: Why Your Identities Are the Biggest Security Risk<\/a><\/h4>\n                            <p class=\"excerpt\">Attackers no longer \u201csimply\u201d break in, they LOG in. If you\u2019re still relying on traditional defenses in 2026, we believe you\u2019ve probably already lost the battle for your data....<\/p>\n                            <span class=\"post_infos\">\n                                                                    <span class=\"date_hour_holder\">\n                                        <span itemprop=\"dateCreated\" class=\"date entry_date updated\">01 April, 2026 <meta itemprop=\"interactionCount\" content=\"UserComments: 0\"\/><\/span>\n                                    <\/span>\n                                                                                                \n                                \n                                                            <\/span>\n                        <\/div>\n                    <\/div>\n                <\/div>\n            <\/div>\n        <\/li>\n    \n        <li class=\"clearfix\">\n            <div class=\"boxes_image\">\n                                <a itemprop=\"url\" href=\"https:\/\/www.teal-consulting.de\/en\/2026\/03\/03\/passwordless\/\"><img decoding=\"async\" width=\"539\" height=\"303\" data-src=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2023\/06\/chatgpt_teal_blog_part3-539x303.jpg\" class=\"attachment-latest_post_boxes size-latest_post_boxes wp-post-image lazyload\" alt=\"\" data-srcset=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2023\/06\/chatgpt_teal_blog_part3-539x303.jpg 539w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2023\/06\/chatgpt_teal_blog_part3-300x169.jpg 300w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2023\/06\/chatgpt_teal_blog_part3-1024x575.jpg 1024w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2023\/06\/chatgpt_teal_blog_part3-768x432.jpg 768w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2023\/06\/chatgpt_teal_blog_part3-1536x863.jpg 1536w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2023\/06\/chatgpt_teal_blog_part3-700x393.jpg 700w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2023\/06\/chatgpt_teal_blog_part3.jpg 1920w\" data-sizes=\"(max-width: 539px) 100vw, 539px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 539px; --smush-placeholder-aspect-ratio: 539\/303;\"><\/a>\n            <\/div>\n            <div class=\"latest_post\"  >\n                <div class=\"latest_post_text\">\n                    <div class=\"latest_post_inner\">\n                        <div class=\"latest_post_text_inner\">\n                            <h4 itemprop=\"name\" class=\"latest_post_title entry_title\"><a itemprop=\"url\" href=\"https:\/\/www.teal-consulting.de\/en\/2026\/03\/03\/passwordless\/\">Bye-bye, password frustration: Why TEAL is now going passwordless<\/a><\/h4>\n                            <p class=\"excerpt\">As security consultants, we see every day that passwords are not only a security risk, but also slow you down massively in your everyday work. That's why we at TEAL have decided: ...<\/p>\n                            <span class=\"post_infos\">\n                                                                    <span class=\"date_hour_holder\">\n                                        <span itemprop=\"dateCreated\" class=\"date entry_date updated\">03 March, 2026 <meta itemprop=\"interactionCount\" content=\"UserComments: 0\"\/><\/span>\n                                    <\/span>\n                                                                                                \n                                \n                                                            <\/span>\n                        <\/div>\n                    <\/div>\n                <\/div>\n            <\/div>\n        <\/li>\n    \n        <li class=\"clearfix\">\n            <div class=\"boxes_image\">\n                                <a itemprop=\"url\" href=\"https:\/\/www.teal-consulting.de\/en\/2026\/02\/02\/take-action-with-ntlm\/\"><img decoding=\"async\" width=\"539\" height=\"303\" data-src=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2026\/01\/Blog-Headerbild_ntlm.png-539x303.jpg\" class=\"attachment-latest_post_boxes size-latest_post_boxes wp-post-image lazyload\" alt=\"\" data-srcset=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2026\/01\/Blog-Headerbild_ntlm.png-539x303.jpg 539w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2026\/01\/Blog-Headerbild_ntlm.png-300x169.jpg 300w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2026\/01\/Blog-Headerbild_ntlm.png-1024x575.jpg 1024w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2026\/01\/Blog-Headerbild_ntlm.png-768x432.jpg 768w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2026\/01\/Blog-Headerbild_ntlm.png-1536x863.jpg 1536w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2026\/01\/Blog-Headerbild_ntlm.png-700x393.jpg 700w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2026\/01\/Blog-Headerbild_ntlm.png.jpg 1920w\" data-sizes=\"(max-width: 539px) 100vw, 539px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 539px; --smush-placeholder-aspect-ratio: 539\/303;\"><\/a>\n            <\/div>\n            <div class=\"latest_post\"  >\n                <div class=\"latest_post_text\">\n                    <div class=\"latest_post_inner\">\n                        <div class=\"latest_post_text_inner\">\n                            <h4 itemprop=\"name\" class=\"latest_post_title entry_title\"><a itemprop=\"url\" href=\"https:\/\/www.teal-consulting.de\/en\/2026\/02\/02\/take-action-with-ntlm\/\">Look, a rainbow! &#8211; Why Google forces you to take action with NTLM<\/a><\/h4>\n                            <p class=\"excerpt\">The alternative to NTLM* is called Kerberos and has been integrated into Active Directory since 2000. The most important difference to NTLM is the integration of a Key Distribution Center (KDC)...<\/p>\n                            <span class=\"post_infos\">\n                                                                    <span class=\"date_hour_holder\">\n                                        <span itemprop=\"dateCreated\" class=\"date entry_date updated\">02 February, 2026 <meta itemprop=\"interactionCount\" content=\"UserComments: 0\"\/><\/span>\n                                    <\/span>\n                                                                                                \n                                \n                                                            <\/span>\n                        <\/div>\n                    <\/div>\n                <\/div>\n            <\/div>\n        <\/li>\n        <\/ul>\n<\/div>[\/vc_column][\/vc_row]\n<\/div>","protected":false},"excerpt":{"rendered":"<p>How MS Exchange on-premises compromises Active Directory and what organizations can do to prevent that. SpecterOps recommends their customers establish a security boundary around their most critical assets (i.e., Tier Zero) of Active Directory (AD). <\/p>\n","protected":false},"author":14,"featured_media":8655,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[14],"tags":[],"class_list":["post-8638","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-further-topics-en"],"_links":{"self":[{"href":"https:\/\/www.teal-consulting.de\/en\/wp-json\/wp\/v2\/posts\/8638","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.teal-consulting.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.teal-consulting.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.teal-consulting.de\/en\/wp-json\/wp\/v2\/users\/14"}],"replies":[{"embeddable":true,"href":"https:\/\/www.teal-consulting.de\/en\/wp-json\/wp\/v2\/comments?post=8638"}],"version-history":[{"count":11,"href":"https:\/\/www.teal-consulting.de\/en\/wp-json\/wp\/v2\/posts\/8638\/revisions"}],"predecessor-version":[{"id":8664,"href":"https:\/\/www.teal-consulting.de\/en\/wp-json\/wp\/v2\/posts\/8638\/revisions\/8664"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.teal-consulting.de\/en\/wp-json\/wp\/v2\/media\/8655"}],"wp:attachment":[{"href":"https:\/\/www.teal-consulting.de\/en\/wp-json\/wp\/v2\/media?parent=8638"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.teal-consulting.de\/en\/wp-json\/wp\/v2\/categories?post=8638"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.teal-consulting.de\/en\/wp-json\/wp\/v2\/tags?post=8638"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}