What starting position does this attack require?

The first step is Pivot to AD via Exchange privileges (AD-ADMINSDHOLDER) — a persistence primitive. Assumed environment: on-prem Exchange unpatched for CVE-2021-34473 / -34523 / -31207.

What is the final impact of this kill-chain?

The final step lands on Trigger ProxyShell chain (EX-PROXYSHELL), which falls under Initial Access. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 6 steps · 5 edges

Approved

ProxyShell → SYSTEM on Exchange → DA

Pre-auth ProxyShell chain (path confusion + EWS email-to-PowerShell + arbitrary file write) deploys a webshell as SYSTEM. Same post-exploitation as ProxyLogon.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Persistence

Pivot to AD via Exchange privileges

AD-ADMINSDHOLDER · AdminSDHolder Abuse

Credential Access

DCSync

T1003.006 · DCSync

Reconnaissance

Confirm Exchange version

W-RECON-FINGERPRINT · Tech Stack Fingerprinting

Persistence

Webshell as SYSTEM

W-WEBSHELL · Webshell Deployment

Credential Access

Dump LSASS / harvest tokens

W-LSASS-PROCDUMP · LSASS via procdump / comsvcs.dll

Initial Access

Trigger ProxyShell chain

EX-PROXYSHELL · ProxyShell (CVE-2021-34473/-34523/-31207)

§ Context

Assumed environment: on-prem Exchange unpatched for CVE-2021-34473 / -34523 / -31207. Autodiscover reachable. Reaches internal AD via the Exchange machine account's privileges.

§ Steps

01
Pivot to AD via Exchange privilegesPersistence
AD-ADMINSDHOLDER— AdminSDHolder Abuse
02
DCSyncCredential Access
T1003.006— DCSync
03
Confirm Exchange versionReconnaissance
W-RECON-FINGERPRINT— Tech Stack Fingerprinting
04
Webshell as SYSTEMPersistence
W-WEBSHELL— Webshell Deployment
05
Dump LSASS / harvest tokensCredential Access
W-LSASS-PROCDUMP— LSASS via procdump / comsvcs.dll
06
Trigger ProxyShell chainInitial Access
EX-PROXYSHELL— ProxyShell (CVE-2021-34473/-34523/-31207)

§ References

T1003.006DCSync

§ Frequently asked

What is the "ProxyShell → SYSTEM on Exchange → DA" attack path?: Pre-auth ProxyShell chain (path confusion + EWS email-to-PowerShell + arbitrary file write) deploys a webshell as SYSTEM. Same post-exploitation as ProxyLogon. It chains 6 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Pivot to AD via Exchange privileges (AD-ADMINSDHOLDER) — a persistence primitive. Assumed environment: on-prem Exchange unpatched for CVE-2021-34473 / -34523 / -31207.
What is the final impact of this kill-chain?: The final step lands on Trigger ProxyShell chain (EX-PROXYSHELL), which falls under Initial Access. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

ProxyShell → SYSTEM on Exchange → DA

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

ProxyLogon → webshell on Exchange → DA

Unpatched Confluence (CVE-2023-22515) → internal foothold

Log4Shell (CVE-2021-44228) → RCE → lateral

Spring4Shell (CVE-2022-22965) → JSP webshell on Tomcat

MOVEit Transfer (CVE-2023-34362) → mass data exfil (Cl0p)