This can be done by injecting malicious code into the PowerShell audit policy configuration or by using a crafted audit policy that is signed by a trusted certificate authority but has malicious code in the policy. The attacker can then create an audit entry that includes commands that do things like elevate privileges or transfer data to external systems. There are a number of ways that this could be done.
For example, an attacker could inject a script into a trusted certification authority’s certificate. The attacker could create a malicious audit policy that is signed by a trusted certificate authority but has malicious code in the policy. An authenticated attacker can then create an audit entry that includes a command that has been signed by a trusted certificate authority but has malicious code in the audit policy. Auditing a command that has been signed by a trusted certificate authority with a malicious audit policy will result in the command being executed with administrator privileges.
Vulnerability summary
The flaw in the PowerShell audit policy configuration is due to the way malicious code is included into audit policies. The flaw could be exploited by an authenticated attacker who has access to the PowerShell Local Security Authority Subsystem Service (LSASS) account on a vulnerable machine. The attacker could create an audit entry that includes commands that do things like elevate privileges or transfer data to external systems.
Mitigation Strategies -
CVE-2023-32974
An authenticated attacker can use PowerShell remoting to connect to a remote system, send a specially crafted command, and then execute the command on the remote system with administrator privileges.
This type of attack is possible via Windows PowerShell remoting, which allows an authenticated user to connect to a remote system in order to execute commands on the remote system. With this type of attack, there is no need for any certificates or trusted authorities: it is possible for an attacker to just remotely execute malicious code that executes commands on another computer with administrator privileges.
Microsoft Exchange Server Auditing
When you want to audit Exchange Server, it is important that you understand what is being audited. In this blog post, we’ll cover how to use the Exchange Server cmdlets and PowerShell logs to audit your Exchange Server environment.
Timeline
Published on: 06/21/2022 15:15:00 UTC
Last modified on: 06/28/2022 21:31:00 UTC