Exchange Emergency Mitigation (EM) service

Yesterday I created a honeypot running Exchange 2019 in the lab. I configured very little and setup a test rule as per the MS blog to stop the SSRF from the “Autodiscover” endpoint to the Powershell function call. I put a custom response with some humour (coz why not!) but I disabled the rule:

This rule was placed in the Autodiscover virtual directory which in Exchange by default is here:

C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\autodiscover\web.config

My custom rule:

<rules>

</conditions>

</rule>

</rules>

</rewrite>

This morning I checked the Honeypot, and I found the following:

Graphical user interface, text, application, email

Description automatically generated

This rule is hosted in:

C:\inetpub\wwwroot\web.config

<rules>

</conditions>

</rule>

</rules>

</rewrite>

As you can see this was modified at 03:21 01/10/2022

Graphical user interface, text, application

Description automatically generated

This comes from:

Exchange Emergency Mitigation Service (Exchange EM Service) | Microsoft Learn

“Exchange Emergency Mitigation (EM) service”

Text

Description automatically generated

You can check if this is enabled by running the following PowerShell:

Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn; 

Get-OrganizationConfig | Select-Object MitigationsEnabled

So here we can see that with this enabled, the Exchange server will download and deploy the HTTP re-write rules automatically (if the server has the required version/config etc.)

You can enable or disable it with the following:

Set-OrganizationConfig -MitigationsEnabled $true
Set-OrganizationConfig -MitigationsEnabled $false

You can check this feature works using the following (modify path as required for relevent exchange version)

. "C:\Program Files\Microsoft\Exchange Server\V15\Scripts\Test-MitigationServiceConnectivity.ps1"

Check the MS docs and check your Exchange Server version to see if you have this feature etc.

GCM exsetup |%{$_.Fileversioninfo}

You learn something new everyday!

Defense

Exchange Emergency Mitigation Service with new CU Update

This is a big thing in the Exchange world from my POV! I believe this is dropping sometime today (28th September!)

History

Exchange OWA, ECP etc. are exposed online not only for mailbox access, calendar sharing but also are a requirement for hybrid mode sync capabilities.

Vulnerabilities in Exchange this year (ProxyLogon/ProxyShell) have shown how problematic an attack surface this is. The good news is, Microsoft have created a feature for Exchange to help mitigate these attacks in the future via the EM Service!

Defense

How to restore AdminSDHolder Object Permissions using ADSIedit

Ok so the other day “we” as a community put out some guidance around post active directory compromise actions for when you can’t simply nuke the forest from orbit. Well, following on from that a friend asked about how to restore AdminSDHolder permissions? Read more “How to restore AdminSDHolder Object Permissions using ADSIedit” →

Defense

Post Compromise Active Directory Checklist

Nuke it from orbit, it’s the only way to be sure!

Ok, in an ideal world you can re-deploy your entire environment from scratch, but back in the most people’s real world’s that’s not that simple. So, what do we do if we can’t nuke from orbit in a post compromise situation? Well, we need to clean up! This isn’t an exhaustive list, not a total guide. it’s a quick list to make you think about some key common areas and actions that might need to be taken! after all if someone got r00t, who knows what they did! (trust me, most orgs monitoring is a bit naff!)

Potential Actions

Reset all user account passwords twice (thanks @tazwake)
- Reset all administrator passwords
- Reset all service accounts passwords
Reset (twice – but bear in mind the issues with replication so there’s specific guidance on this) the KRBTGT password
Reset all computer account passwords
Check the value of the computer account password change value
- By default, it is 30 days, threat actors can change this to give themselves access using machine hashes for a longer duration. https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age
Reset all LAPS Passwords
Reset permissions on AdminSDHolders object
Revoke and re-issue all certificates from ADCS
Check for malicious scheduled tasks (thanks @SchizoDuckie)
Check for malicious WMI event filters
Check for malicious autoruns or other registry-based persistence mechanisms
Check for utilman style backdoors
Check for malicious printers/printer drivers (thanks @SchizoDuckie)
Review Active Directory Delegated access permissions (thank https://twitter.com/@indachtig)
Rotate ADFS token signing and token decryption certificates (thanks @4n6Bexaminer)
Check Service Control Manager (SCM) security descriptors (https://docs.microsoft.com/en-us/windows/win32/services/service-security-and-access-rights) (thanks @EricaZeli)
Check for object changes around initial access/event timescales (thanks @IISResetMe)
Validate group memberships against known baselines (replication metadata, backup, AD reporting tools/reports etc.) (thanks @IISResetMe)
Harden Active Directory (look at pingcastle and MITRE) (thanks @MarkSewe)
Review logon scripts in GPOS and SYSVOL (thanks @CisoDiagonal and A-HAX!)
Rotate Group Managed Service Accounts (GMSA) (thanks @infosecspy)
Rotate LAPS credentials
Review Azure AD/AD Connect (thanks @infosecspy)
Harden Endpoints
Update AV
Deploy EDR
Deploy SYSMON
DNS Zone Integrity (Public and Private) (thanks to @jermuv)
Rote domain trust keys (thanks @DebugPrivilege)
Review potential RBCD Bakdoors (thanks @DebugPrivilege)
Review msDsConsistencyGuid attribute of compromised accounts (thanks @DebugPrivilege)
Check Exchange (easy right?)
Review accounts for “Key Trust Account Mapping” takeover and reset if required (thanks @nodauf)
- https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab
Review Active Directory Domains and Trusts (thanks @dragon199421)
Deploy new Domain Controllers (keep existing forest/domain metadata)
Clear VSS/Backups/Snapshots that are likely to be classed as unsafe (thanks to @Digit4lbytes) Read more “Post Compromise Active Directory Checklist” →

Defense

Ransomware Defence: Part 2a – Persistence, Privilege Escalation and…

Recap

In Part 1 (Initial Access Defence and Checklist) we looked at ways of hardening your attack surface to defend against initial access. When it comes to ransomware there is a range of elements and variables in the kill chain that need to be successful for the outcomes to be achieved by the criminals. Here we are going to move further into the kill chain to look at further defences. Remember you need to have an “Assume Breach” mindset if you are going to be able to defend against ransomware, that being said, there is a hell of a lot of things you can do for 0 to low investment costs that provide a great ROI. Now some of this is going to be repeated guidance from part 1, that’s ok repetition is good (make sure you are covered from multiple perspectives). Ok let us get to it! Read more “Ransomware Defence: Part 2a – Persistence, Privilege Escalation and Lateral Movement” →

CTF

How to enable NULL Bind on LDAP with Windows…

History of NULL bind

Back in the early Active Directory days NULL bind was actually enabled by default, these days you can get a rootDSE NULL bind out of the box but on Windows Server 2019 you can even disable this!

So why would I want to enable NULL bind? Well, some legacy apps may need it but generally speaking you don’t want NULL bind enabled.

The lesson here is DO NOT copy what I am doing here! Simples! Read more “How to enable NULL Bind on LDAP with Windows Server 2019” →

Defense

Field Notes – Just Patch

Windows update stuck at 0% download status

Often is we find an environment missing software updates it’s easy for someone without hands on experience to say, ‘just patch’. Outside of change requests, outside of authorisation, maintenance windows, roll back plans, communications etc. there is also the fact that ‘just patching’ isn’t that simple. Even for fairly standard patching tasks using Windows Updates you sometimes hit a snag. Today I’m looking at exactly that issue on a server, so I thought I’d post the steps to resolve an issue but also, I think this is a nice way to highlight the realities of patching.

We show a GUI and command line (PowerShell) method to achieve this result (the PowerShell isn’t fancy but I figured you could go away and upgrade that if you fancied some fun). Windows update sometimes has issues (does not all software!) and it is sometimes that we need to help it along the way, so let’s get too it! Read more “Field Notes – Just Patch” →