How can an attacker escalate privileges to domain admin by exploiting Exchange Server's ACLs?

By compromising any user in the **Exchange Trusted Subsystem**, **Exchange Windows Permission**, or **Organization Management** groups, an attacker inherits the **WriteDACL** permission on the domain object. This allows modifying the domain's ACL to grant **DCSync** rights, enabling extraction of all user hashes (especially kerbtgt) and ultimately creating a Golden Ticket to control the domain controller. For a deeper understanding of ACLs in Windows, see Penetration Techniques - Access Control List in Windows.