Abusing Exchange: One API call away from Domain Admin
Tags
attack-pattern: Credentials - T1589.001 Dcsync - T1003.006 Powershell - T1059.001 Python - T1059.006 Server - T1583.004 Server - T1584.004 Web Services - T1583.006 Web Services - T1584.006 Tool - T1588.002 Vulnerabilities - T1588.006 Powershell - T1086
Show in Graph
Common Information
Type Value
UUID eb46b52c-4248-45b7-ba35-78b5120cf991
Fingerprint bf891ad7aa35b2d2
Analysis status DONE
Considered CTI value 0
Text language
Published Jan. 21, 2019, 6:08 p.m.
Added to db Feb. 18, 2023, 12:48 a.m.
Last updated Nov. 17, 2024, 11:40 p.m.
Headline Abusing Exchange: One API call away from Domain Admin
Title Abusing Exchange: One API call away from Domain Admin
Detected Hints/Tags/Attributes 41/1/21
Source URLs
Redirection Url
Details Source https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/
URL Provider
Details Provider Source level domain
Details dirkjanm.io dirkjanm.io
Attributes
Details Type #Events CTI Value
Details CVE 6 
cve-2018-8518
Details Domain 1 
privexchange.py
Details Domain 23 
ntlmrelayx.py
Details Domain 3 
httpattack.py
Details Domain 4128 
github.com
Details Domain 222 
www.blackhat.com
Details File 1 
privexchange.py
Details File 22 
ntlmrelayx.py
Details File 3 
httpattack.py
Details File 208 
setup.exe
Details File 1 
fix-domainobjectdacl.ps1
Details File 1 
04262018-webcast-toxic-waste-removal-by-andy-robbins.pdf
Details Github username 4 
dirkjanm
Details Github username 1 
gdedrouas
Details IPv4 1 
2.2.2.5
Details IPv4 1 
14.3.123.4
Details Microsoft Patch Numbers 1 
KB4490059
Details Url 1 
http://dev.testsegment.local/privexchange
Details Url 1 
https://github.com/dirkjanm/privexchange.
Details Url 1 
https://github.com/gdedrouas/exchange-ad-privesc/blob/master/domainobject/fix-domainobjectdacl.ps1
Details Url 1 
https://www.blackhat.com/docs/webcast/04262018-webcast-toxic-waste-removal-by-andy-robbins.pdf