What detection and defense mechanisms can prevent Exchange-based ACL privilege escalation?

Defenders should monitor for unusual group membership changes in **Exchange Trusted Subsystem**, **Exchange Windows Permission**, and **Organization Management** using tools like **Advanced Audit Policy** or **SIEM**. Additionally, audit **WriteDACL** modifications on the domain object and restrict **PowerView** usage. Regularly review ACLs with scripts to detect hidden backdoor **ACEs**. For remote access hardening, see Penetration Techniques - Multi-user Login for Windows Remote Desktop.