Listen to this Post

Introduction:
Microsoft Exchange on-premises environments often become security blind spots in Active Directory attack path analysis, leaving organizations vulnerable to mailbox abuse and privilege escalation. ExchangeHound, a new defensive BloodHound OpenGraph collector, maps mailbox delegation, folder permissions, and Exchange RBAC relationships into BloodHound, enabling blue teams to identify and mitigate Exchange-specific attack paths.
Learning Objectives:
- Understand how ExchangeHound extends BloodHound OpenGraph to visualize Microsoft Exchange abuse paths.
- Learn to deploy and run ExchangeHound to collect mailbox permissions and delegation relationships.
- Use Cypher queries in BloodHound to identify high-risk Exchange permissions and privilege chains.
You Should Know:
1. What is ExchangeHound and Why It Matters
ExchangeHound is a defensive OpenGraph collector built for blue teams, detection engineers, and Active Directory/Exchange defenders. It maps high-value Exchange relationships such as FullAccess, SendAs, SendOnBehalf, folder permissions, public folder ACLs, transport rules, and Exchange RBAC assignments into a graph queryable in BloodHound. Exchange permissions are frequently missed during AD-focused attack path analysis and security reviews. For defenders, this creates blind spots around mailbox abuse, impersonation risk, and privilege drift. ExchangeHoud helps defenders surface cross-OU and cross-team mailbox delegation, privileged mailbox exposure (including Tier Zero users), AD-to-mailbox abuse chains, and Kerberoastable delegates with mailbox rights.
Step-by-step guide to install and run ExchangeHound:
First, ensure you have BloodHound CE v8+ (tested on v9) with OpenGraph support, SharpHound AD data already ingested, and an Exchange account with rights to read mailbox and permission metadata.
Installation:
Clone the repository git clone https://github.com/FilipPwn/ExchangeHound.git cd ExchangeHound Ensure Exchange Management Shell is loaded For remote Exchange session, specify -Server parameter
Running ExchangeHound from an Exchange Management Shell session:
Pilot run (recommended first execution) .\ExchangeHound.ps1 -ResultSize 100 -SkipSendOnBehalf -OutputPath .\exchangehound_pilot.json Remote Exchange session .\ExchangeHound.ps1 -Server ex01.contoso.com Collect all optional modules (enables all optional collectors) .\ExchangeHound.ps1 -CollectAll
What this does:
The `-CollectAll` parameter enables all optional collectors, including `-IncludeInherited` and -IncludeDefaultFolderPrincipals. The script will:
– Connect to Exchange and AD via PowerShell
– Enumerate mailboxes and their permission entries
– Resolve SIDs to AD principals
– Generate a JSON payload compatible with BloodHound OpenGraph
– Output the file to the specified path
Sample run output:
PS C:\Users\Administrator\Desktop\ExchangeHound> .\ExchangeHound.ps1 -CollectAll +-+ | ExchangeHound v1.0 | | BloodHound OpenGraph Collector for Exchange | | https://github.com/filippwn/ExchangeHound | +-+ [+] Connected to Exchange server [+] Enumerating mailboxes... [+] Processing FullAccess permissions... [+] Output written to exchangehound_export.json
2. Understanding ExchangeHound’s Data Model
ExchangeHound extends BloodHound with Exchange-specific nodes and relationships, enabling mailbox abuse analysis as part of the same identity graph. The model includes objects such as ExchangeMailbox, ExchangeMailboxFolder, ExchangePublicFolder, ExchangeTransportRule, and ExchangeRbacRole, connected by edges like HasFullAccess, HasSendAs, HasSendOnBehalf, HasFolderAccess, HasCalendarAccess, and HasPublicFolderAccess. At the center of the model is the `ExchangeMailbox` node, linked back to identity through `OwnsMailbox` (owner mapping) and to delegation principals through mailbox permission edges.
Step-by-step guide to query ExchangeHound data in BloodHound:
After ingesting the ExchangeHound JSON export into BloodHound, use these Cypher queries to analyze Exchange relationships.
Query 1: Map user mailbox ownership and permissions
MATCH p=(u:User)-[:OwnsMailbox|HasFullAccess|HasSendAs|HasSendOnBehalf]->(mb:ExchangeMailbox) WHERE u.samaccountname = 'GraceTurner' RETURN p
This query maps user GraceTurner to mailboxes she owns or has delegate access to, showing both explicit permissions and ownership.
Query 2: Find all non-owner full access to Tier Zero user mailboxes
MATCH (u:User {tierzero: true})-[:OwnsMailbox]->(mb:ExchangeMailbox)
MATCH (attacker:User)-[:HasFullAccess]->(mb)
WHERE attacker <> u
RETURN attacker.name, u.name, mb.name
This identifies any user with FullAccess to a Tier Zero user’s mailbox, a high-risk privilege chain.
Query 3: Detect SendAs permissions across organizational units
MATCH (u:User)-[:HasSendAs]->(mb:ExchangeMailbox) WHERE u.ou <> mb.owner_ou RETURN u.samaccountname, mb.name, mb.owner_samaccountname
Cross-OU SendAs permissions can indicate privilege escalation paths.
3. Exchange Permission Abuse Paths (T1098.002)
Adversaries may grant additional permission levels, such as `ReadPermission` or FullAccess, to maintain persistent access to an adversary-controlled email account. The MITRE ATT&CK technique T1098.002 (Additional Email Delegate Permissions) specifically addresses Exchange email delegate permissions abuse. ExchangeHound helps defenders detect this technique by modeling mailbox permissions as graph relationships, enabling detection of unusual delegation patterns.
Step-by-step guide to detecting T1098.002 with ExchangeHound:
Detection via PowerShell auditing:
Audit mailbox permission changes in Exchange Get-AdminAuditLog -Cmdlets Add-MailboxPermission, Remove-MailboxPermission -StartDate (Get-Date).AddDays(-30) | Select-Object CmdletName, ObjectModified, ParameterName, Caller, RunDate Monitor for new mailbox delegations Get-MailboxPermission -Identity "[email protected]" | Where-Object {$<em>.AccessRights -like "FullAccess" -and $</em>.User -notlike "NT AUTHORITY\"}
Detection using ExchangeHound in BloodHound:
// Find all mailbox delegations added in the last 30 days
MATCH (u:User)-[r:HasFullAccess|HasSendAs|HasSendOnBehalf]->(mb:ExchangeMailbox)
WHERE r.created_date > datetime({epochmillis: timestamp() - 2592000000})
RETURN u.name, type(r), mb.name, r.created_date
Mitigation steps:
- Restrict who can delegate mailbox permissions using Exchange RBAC
- Monitor for `Add-MailboxPermission` and `Add-ADPermission` cmdlet usage
- Implement regular reviews of mailbox delegations using ExchangeHound
- Use tiering to protect Tier Zero user mailboxes from delegation
4. Integration with BloodHound OpenGraph Ecosystem
BloodHound OpenGraph enables researchers to quickly ingest new data sets and light up new attack paths across their environment. The OpenGraph extension library includes community contributions for AWS, GitHub, Jamf, and now ExchangeHound.
Step-by-step guide to ingesting ExchangeHound data into BloodHound:
Prerequisites:
- BloodHound CE v8+ with OpenGraph support
- SharpHound AD data already ingested
- ExchangeHound JSON export
Ingestion process:
1. Navigate to BloodHound CE web interface
2. Go to “Upload Data” section
3. Select “OpenGraph Data” upload option
4. Upload the ExchangeHound JSON export file
- BloodHound will validate and ingest the nodes and edges
Verification queries after ingestion:
// Check if ExchangeMailbox nodes were ingested MATCH (n:ExchangeMailbox) RETURN COUNT(n) // Verify Exchange relationship types MATCH ()-[r:HasFullAccess|HasSendAs|HasSendOnBehalf]->() RETURN type(r), COUNT(r)
Expected output:
The graph will now show ExchangeMailbox nodes connected to User nodes via ownership and delegation edges, enabling path-based analysis of Exchange permissions.
5. Advanced Use Cases and Automation
ExchangeHound supports multiple use cases including continuous posture reviews, delegated access audits, incident scoping, and remediation validation after hardening changes.
Step-by-step guide to automating ExchangeHound collection:
Create a scheduled task on Windows Server:
Create scheduled task action $Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-ExecutionPolicy Bypass -File C:\scripts\ExchangeHound.ps1 -CollectAll -OutputPath C:\exports\exchangehound_$(Get-Date -Format 'yyyyMMdd_HHmmss').json" Create trigger (daily at 2 AM) $Trigger = New-ScheduledTaskTrigger -Daily -At 02:00AM Register scheduled task Register-ScheduledTask -TaskName "ExchangeHound_Collector" -Action $Action -Trigger $Trigger -RunLevel Highest
Use with SIEM for alerting:
Example Python script to parse ExchangeHound output and send to SIEM
import json
import sys
def process_exchangehound_export(file_path):
with open(file_path, 'r') as f:
data = json.load(f)
Extract high-risk relationships
for node in data.get('nodes', []):
if node.get('label') == 'ExchangeMailbox':
Check for privileged mailboxes
if node.get('properties', {}).get('is_privileged', False):
Send alert to SIEM
print(f"ALERT: Privileged mailbox {node.get('name')}")
Extract cross-OU delegations
for edge in data.get('edges', []):
if edge.get('label') in ['HasFullAccess', 'HasSendAs']:
Check source and target OUs
source_ou = edge.get('properties', {}).get('source_ou')
target_ou = edge.get('properties', {}).get('target_ou')
if source_ou and target_ou and source_ou != target_ou:
print(f"ALERT: Cross-OU delegation from {source_ou} to {target_ou}")
if <strong>name</strong> == "<strong>main</strong>":
process_exchangehound_export(sys.argv[bash])
6. Remediation and Hardening
ExchangeHound helps identify excessive permissions that should be removed to reduce attack surface.
Step-by-step guide to remediation using ExchangeHound findings:
Identify and remove FullAccess permissions for non-owners:
Get all mailboxes with FullAccess from non-owners
Get-Mailbox -ResultSize Unlimited | ForEach-Object {
$mailbox = $<em>.Identity
Get-MailboxPermission -Identity $mailbox | Where-Object {
$</em>.AccessRights -contains "FullAccess" -and
$<em>.User -notlike "NT AUTHORITY\" -and
$</em>.User -notlike "$($mailbox)\"
} | ForEach-Object {
Remove-MailboxPermission -Identity $mailbox -User $_.User -AccessRights FullAccess -Confirm:$false
}
}
Remove SendAs permissions for cross-OU delegations:
Remove SendAs permissions where grantee and grantor are in different OUs
$crossOUDelgations = Get-Mailbox -ResultSize Unlimited | ForEach-Object {
$mailbox = $<em>.Identity
$mailboxOU = (Get-ADUser (Get-Mailbox $mailbox).SamAccountName).DistinguishedName.Split(',')[bash].Split('=')[bash]
Get-ADPermission -Identity $mailbox | Where-Object {
$</em>.ExtendedRights -contains "Send-As" -and
$<em>.User -ne "NT AUTHORITY\SELF" -and
(Get-ADUser $</em>.User -ErrorAction SilentlyContinue).DistinguishedName.Split(',')[bash].Split('=')[bash] -ne $mailboxOU
} | ForEach-Object {
Remove-ADPermission -Identity $mailbox -User $_.User -ExtendedRights "Send-As" -Confirm:$false
}
}
Harden Exchange RBAC:
- Limit membership in high-privileged role groups (Organization Management, Recipient Management)
- Use management role assignment policies to delegate specific permissions
- Regularly audit RBAC assignments with ExchangeHound
What Undercode Say:
- ExchangeHound bridges a critical gap in BloodHound’s AD-focused attack path analysis by bringing Exchange mailbox permissions into the graph.
- Organizations can now detect and mitigate Exchange-specific abuse paths such as cross-OU delegations, Tier Zero mailbox exposure, and Kerberoastable delegates.
- Regular collection and analysis using ExchangeHound should become a standard part of continuous identity posture reviews.
Prediction:
As BloodHound OpenGraph gains adoption, we expect to see a growing ecosystem of community collectors targeting other identity systems like Oracle Identity Manager, SAP Identity Management, and custom IAM solutions. ExchangeHound represents the first step toward comprehensive identity attack path management beyond Active Directory, setting a precedent for how security teams will analyze identity risk across their entire technology stack.
▶️ Related Video (94% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Https: – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


