What starting position does this attack require?

The first step is Exchange machine account → WriteDACL on AdminSDHolder (AD-ADMINSDHOLDER) — a persistence primitive. Assumed environment: on-prem Exchange 2013/2016/2019 unpatched for CVE-2021-26855 et al.

What is the final impact of this kill-chain?

The final step lands on ProxyLogon SSRF + auth bypass (EX-PROXYLOGON), which falls under Initial Access. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 6 steps · 5 edges

Approved

ProxyLogon → webshell on Exchange → DA

Unauth SSRF + auth bypass against on-prem Exchange (CAS) — write a webshell as SYSTEM on the Exchange server, dump LSASS for cached domain creds, pivot to DA.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Persistence

Exchange machine account → WriteDACL on AdminSDHolder

AD-ADMINSDHOLDER · AdminSDHolder Abuse

Credential Access

DCSync as DA

T1003.006 · DCSync

Reconnaissance

Identify Exchange version

W-RECON-FINGERPRINT · Tech Stack Fingerprinting

Persistence

Drop webshell as SYSTEM on Exchange

W-WEBSHELL · Webshell Deployment

Credential Access

Dump LSASS for cached creds

W-LSASS-PROCDUMP · LSASS via procdump / comsvcs.dll

Initial Access

ProxyLogon SSRF + auth bypass

EX-PROXYLOGON · ProxyLogon (CVE-2021-26855)

§ Context

Assumed environment: on-prem Exchange 2013/2016/2019 unpatched for CVE-2021-26855 et al. Internet-exposed OWA or reachable from an internal foothold. Default Exchange machine account has elevated AD rights.

§ Steps

01
Exchange machine account → WriteDACL on AdminSDHolderPersistence
AD-ADMINSDHOLDER— AdminSDHolder Abuse
02
DCSync as DACredential Access
T1003.006— DCSync
03
Identify Exchange versionReconnaissance
W-RECON-FINGERPRINT— Tech Stack Fingerprinting
04
Drop webshell as SYSTEM on ExchangePersistence
W-WEBSHELL— Webshell Deployment
05
Dump LSASS for cached credsCredential Access
W-LSASS-PROCDUMP— LSASS via procdump / comsvcs.dll
06
ProxyLogon SSRF + auth bypassInitial Access
EX-PROXYLOGON— ProxyLogon (CVE-2021-26855)

§ References

T1003.006DCSync

§ Frequently asked

What is the "ProxyLogon → webshell on Exchange → DA" attack path?: Unauth SSRF + auth bypass against on-prem Exchange (CAS) — write a webshell as SYSTEM on the Exchange server, dump LSASS for cached domain creds, pivot to DA. It chains 6 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Exchange machine account → WriteDACL on AdminSDHolder (AD-ADMINSDHOLDER) — a persistence primitive. Assumed environment: on-prem Exchange 2013/2016/2019 unpatched for CVE-2021-26855 et al.
What is the final impact of this kill-chain?: The final step lands on ProxyLogon SSRF + auth bypass (EX-PROXYLOGON), which falls under Initial Access. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

ProxyLogon → webshell on Exchange → DA

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

ProxyShell → SYSTEM on Exchange → DA

Unpatched Confluence (CVE-2023-22515) → internal foothold

Log4Shell (CVE-2021-44228) → RCE → lateral

Spring4Shell (CVE-2022-22965) → JSP webshell on Tomcat

MOVEit Transfer (CVE-2023-34362) → mass data exfil (Cl0p)