How do attackers use PowerView to establish a stealthy backdoor via Exchange group ACLs?

Instead of adding a user directly to an Exchange group, attackers grant a backdoor user **full control** over the group's ACL using **PowerView** (dev version). They retrieve the group's raw AD object, create a new **ACE** with all rights (including WriteDACL), and commit the changes. This leaves no visible membership change and is harder to detect. For background on manipulating AD ACLs, refer to Domain Penetration - AdminSDHolder.