The
vulnerability in Exchange discovered this year allows any domain user to gain domain administrator rights and compromise Active Directory (AD) and other connected hosts. Today we will explain how this attack works and how to detect it.
This is how this attack works:
- The attacker seizes the account of any domain user with an active mailbox to subscribe to the function of push-notifications from Exchange
- The attacker uses NTLM relay to deceive the Exchange server: eventually, the Exchange server connects to the compromised user’s computer using the NTLM over HTTP method, which the attacker then uses to pass the authentication procedure on the domain controller using an LDAP with the Exchange account information
- As a result, the attacker uses these permissions to the Exchange account to elevate his privileges. This last step can also be performed by a hostile administrator who already has legitimate access to make the necessary rights change. By creating a rule to detect this activity, you will be protected from this and similar attacks.
Subsequently, an attacker could, for example, run DCSync to obtain the hashed passwords of all domain users. This will allow him to implement various types of attacks - from attacks on the golden ticket to the transfer of hash.
')
The Varonis research team studied this attack vector in detail and prepared a guide for our clients to detect it and at the same time check whether they have already been compromised.
Domain Privilege Discovery Detection
In
DatAlert, create a custom rule to track changes to specific permissions on an object. It will work when adding rights and permissions to the object of interest in the domain:
- Enter the name of the rule
- Set the category as “Privilege escalation”
- Set the value for the resource type "All Resource Types"
- File Server = DirectoryServices
- Set the domain you are interested in, for example, by name
- Add a filter to add permissions on the AD object
- And do not forget to leave unchecked the option "Search in child objects"
And now the report: detection of changes in rights to the domain object
Changes to permissions on an AD object are quite rare, so everything that triggered this warning should and should be investigated. It would also be nice to test the type and contents of the report before launching the rule itself.
This report will also show whether you have already been compromised by this attack:
After activating the rule, you can investigate all other privilege escalation events using the DatAlert web interface:
After you configure this rule, you can monitor and protect against these and similar types of security vulnerabilities, investigate events with AD directory service objects, and check whether you are exposed to this critical vulnerability.