Windows Service Privilege Escalation

Now you have gained initial foot hold on the network and you almost certain the end user is low privilege user. Yes, you need to elevate the privilege to local administrator or maybe to system level or if you in luck domain admin.

 
So what we talk about here you may ask? Privilege escalation; a privilege escalation happens when a low level user requires access to a user or a service to increase privilege on compromised workstation/server etc.

Hacker thoughts and Post exploitation Assumptions:

  • Initial intrusion could start from anywhere, a phishing attack, a guest account a local authenticated user?
  • Living of the land, build in windows tools such as windows binary and PowerShell to come rescue?
  • Windows Services & Third party applications leverage and exploit it to our advantage and escalate low user to admin and or system.
  • Exploiting Weak Folder Permissions and mount and redirect  folder.
  • Classic dll hijacking and gain elevated privilege.

Steps to exploit weak services and binary implants

Assume we compromised an end user windows 10 fully patched workstation and the compromised user is as expected low level user (Authenticated user) no special permissions or rights.

There are different and easy ways to elevate privilige from low level user to all the way to  domain admins in less security conscious environment e.g The GPP Vulnerability  extracting cpassword filed in SYSVOL Groups.xml file etc

Here, we will be looking at different attack vector often overlooked  (Windows and third party services) often windows/third party service binary run under the System or high integrity level, any vulnerability in a service could result in privilege escalation.

Windows Services is  vast subject link for your further unsupervised read  here

Naturally, i go for quick powershell one liner to list all the potential vulnerable services in C:\ drive.  Get-WMIobject win32_service to look for services running outside of c:\windows folder   and the -eq “auto” is to check if the services out started, finally we check the  if the services running under the localsystem privilege account and we output the path is located.

 

service_02

Figure 1 we identified  c:\Users\lowuser\Desktop\AwesomeService\Secure.exe  path sits on user desktop with localsystem intergity level.

Icacls Microsoft  native binary to list  security descriptors on folders and files –  (F) indicates lowuser has full control over the Secure.exe binary. Obvious fail but this does happen all the time.

Service_1Figure 2    Lowuser has full control of the folder

Security descriptor definition language (SDDL) in windows world used to define access and protect objects for example, folders, shares, active directory objects, windows event logs etc.   SC sdshow lists access list against AwesomeService a.k.a to identify which user groups have access and make etc

service_03Figure 3 AwesomeService a.k.a Secure.exe SDDL

Brilliant description with SDDL breakdown here:

You might have notices you from SDDL output Authenticated User is not part of the SDDL,we can add our lowuser account to specific access.

 

 

service_04

Figure 4 Interactive user but not Authenticated User e.g. lowuser account

In order to add lowuser account to the list of SDDL we need the user Security Descriptor, we can identify user SID in the following locations:

C:\Users\lowuser\AppData\Roaming\Microsoft\Protect

5_service

Figure 5 low user sid

Whoami /all is also another way to list user SID

6_services

Figure 6  whoami /all cmd.exe

SC sdset to set the Authenticated User Read Property and Write Property

sdset

Figure 6 SetServiceObjectSecurity successfully set.

set

Figure 7 authenticated user is set and part of sddl.

Privilge escalation steps:

  • Lowuser has full control of the t C:\Users\lowuser\Desktop\AwesomeService\ folder
  • We can modify ,change, delete, replace
  • Build empire executable and replace the Secure.exe with our own call back agent
  • Reboot the service
  • Elevate Privillige from lowuser to SYSTEM integrity level

 

Compiled Empire agent executable and named it Secure.exe and copied to our Target Service location ( Replaced the legitimate Secure.exe service with our own executable)

service_07

Figure 8 compiled Empire callback and named it Exactly the same as Secure.exe

 

As expected we got shell from the victim machine with SYSTEM privilege successfully elevated from lowuser to SYSTEM user.

08_Service

Figure 9 Secure Process Shell with integrity level SYSTEM.

 

Final couple of words,  log log log everything from your end user workstations, ensure third party services not running under HIGH/SYSTEM integrity.

I hope this has been informative

LSA Secrets, Service Account Password Extraction, NT/SYSTEM Privilege Account, gMSAs

In this article we talk about one of the most common vulnerability exist in modern  enterprise windows network infrastructure. We demonstrate how an attacker elevate privilege from administrator account to NT/ SYSTEM Authority privilege which is highest privilege in local windows system. The idea is to use NT authority system privilege to interact with LSA secrets and extract passwords from services account. Often these services accounts misconfigured in modern windows enterprise, which likely enable low privilege user to gain higher privileges.

Technical assumptions:

  • Attacker has an elevated privilege (Local Admin)
  • Attacker identified a service account AwesomeService.exe installed locally and runs under the local administrator privilege

 

Regedit Registry editor permission with SAM hive file requires NT/Authority SYSTEM Privilege, we  can not access the SAM File hive with windows local administrative permission.

SYSTEMPerm

Figure 1 SAM Hive set to full control permission

 

We Launch registry editor under the local administrative privilege – we are not able to read/write and modify SAM files.

4

Figure 2 Regedit under the windows administrator privilege account.

 

We elevate the local administrator privilege to NT/Authority SYSTEM privilege using the SysInternals PsExec Mark Russinovich copy of the PsExec Here   with the -i interactive, -s run remote process in the system account and -d  dot wait for process to terminate.

1

Figure 3 PsExec elevated privilege from local admin to NT/Authority SYSTEM

 

NT Authority\SYSTEM has access to SAM hive files

NT-Authority-Sam-file-5

Figure 4 Corroborates the SAM hive access via SYSTEM privilege

 

We not really interested in SAM/SYSTEM contents – We are after LSA Secrets and Service Account password extraction, however we need to create and compile a windows 10 compatible service and install it locally on our windows 10.

2

Figure 5 –  We created AwesomeService.exe with DisplayName “Windows Update” using SC Service Control to install and set the run time to auto start.

 

Display Name set as Windows Update

3

Figure 6 AwesomeService.exe runs as service under the local administrator privilege.

 

AwesomeService current value is in binary mode

currentValue

Figure 7  AwesomeService in binary value

 

lsasecret.exe /service AwesomeService command to dump clear text password from the registry.

AwesomeService-OpenSSHd

Figure 8   extracted openSSHd and AwesomeService accounts from registry.

Link to github lsasecre.exe the original source code from “Timothy D.Morgan”

 

Mitigation:

There are couple of solutions to mitigate against this particular vulnerability – the easiest and Microsoft recommended approach is the use of native windows feature,  Managed Service Account (MSA) and Group Managed Service Account (gMSA) .

Switch to your Server 2012 domain controller generate KDS root key for use with managed MSA and Group Managed Service Accounts (gMSA)   New-KdsRootKey Powershell cmdlet to initialize the key. The reason that we need to generate this once because this will be used in generating passwords for the Group Managed Service Accounts.

Add-KdsRootKey –EffectiveImmediately

Run this under the windows administrator Powershell console; The  -EffectiveImmeditely takes 10 hours from the time of creation to allow all domain controllers to replicate before allowing the creation of a gMSA. The idea behind 10 hours delay is a safety measure to prevent password generation from occurring before all domain controller are capable of responding to gMSA requests.

Perhaps yo may want to run this over the weekend over the night in production environment?

 

Service Account Creation

It’s straightforward to create gMSAs (Group Managed Service Account) Switch to the server you want to add service account, you need active directory Powershell module part of the RSAT for this to work.

New-ADServiceAccount -Name svc_Secure -DNSHostName cryptoambient.local -PrincipalsAllowedToRetriveManagedPassword  WIN-12-AV$

Command Breakdown :

-Name    service name of your choice

-DNSHostName   –  FQDN for our domain controller that holds KDS root key in my case ambientcrypto.local

PrincipalsAllowedToRetriveManagedPassword     –  This parameter allows you to specify the server(s) that you are going to be running particular (gMSA) on.

 

That’s it, simple and extremely reliable to manage service accounts. Good luck 🙂

 

 

 

 

 

Windows Task Scheduler Privilege Escalation ALPC exploit

Quick Description:

Hacker goes by name SandboxEscaper decide to upload 0day exploit in the windows 10 32-64 bit & Server 2016 x64 task scheduler, SchRpcSetSecurity API contains a privilege escalation vulnerability which can allow authenticated low privilege user to overwrite content of certain files protected by ACLs in filesystem. This is big, a local user authenticated can elevate their privilege to NT Authority /SYSTEM, which is highest privilege in windows operating system.

Maybe this new trend to release 0days ?

Hey I link to the code here,hopefully SanboxEscaper doesn’t mind me doing that.

Exploit prerequisite:

-Windows 10 32/64 or server 2016 system
-Exploit code link here
-CFF PE resource editor link here
-Your own malicious dll e.g msfvenom or empire powershell post exploitation framework etc

Process explore tool to see existing/new running process.Cmd.exe then launched notepad.exe to create a new process id PID  so that we can use PID to call hijack DDL as system privilege.

lpp1

Figure 1  notepad process associated with PID 1356 run under the cmd.exe.

Windows CFF explore  to edit ALPC_Tasksched-LPE.dll  then  RCData 101, Click right to Replace Resource Raw  then poc.dll which we used empire C2 for dll generation . CFF

Figure 2 CFF explore edit the ALPC_Tasksched-LPE.dll and replaced the existing dll with our empire C2 for reverse during execution.

 

InjectDll.exe 3508 notepad PID and our modified ALP-TaskSched-LPE.PoC.dll

F

Figure 3  we execute InjectDll.exe with modified empire dll

Local copy of empire agent call back “whoami” command shows session runs under the NT Authority\SYTEM

NT-Authority-lpe-access

Figure 4  Agent runs under the NT AUTHORITY\SYSTEM privilege context

 

Quick Video session here to demonstrate steps taken to corroborate the  ALPC privilege escalation  https://youtu.be/t50v8zGIwWE

Remediation

Wait for Microsoft to release security patch next few weeks…

 

 

 

 

Playing and Hacking Active Directory Certificate Authority

Brief Active Directory Certificate Authority

Microsoft Active Directory Certificate Services provide a platform for generating and issuing and managing PKI Public Key Infrastructure certificates. In short AD CS provides certificates for securing HTTP traffic and also supports other authentication mechanism such as computer, user or device accounts on a network.
No point for me to describe what the certificate authority is used for as Microsoft has covered this here in details  here and here.

The objective with this brief technical article is to demonstrate common mis-configuration with the certificate generation and issuing keys to domain joined end users. The idea is to show an attacker can enumerate certificate authority using built-in windows MMC managed certificate Snap-in in windows 10 and export private keys to our attacking machine for offline PKCS12 PFX password recovery.
You probably ask why do you want to extract private key and recover the password? Well that depends on the type o certificate but generally speaking certificate used for encrypting traffic or perhaps use machine authentication to a domain controller or can be used as internal code signing certificate.
In my personal opinion I think CA Certificate Authority is significant attack vector and often overlooked by system administrators and security professionals, for years’ bad actors utilized and abused certificate authority to circumvent external/internal technical controls and security operations, often these attacks go undetected by third part and built-in signature based anti-virus products.

So let’s assume breach scenario here and an attacker managed to gain foothold on your end user windows 10 workstation and we also assume the workstation is domain joined, and there is a single tier domain joined active directory certificate authority installed on server that issues automated client machine/user certificates to the workstations once  joined the domain controller (AutoEnrollment Group Policy Configured)

LAB Setup and Break down:

Cryotoambient.com SEC-PRI-DC-1 (Primary Lab Domain Controller)

SEC-PRI-DC-02 (Secondary Domain Controller – Certificate Authority installed

Windows10 Domain Joined with active directory low privilege user ambient10

Let’s assume the attacker is on post exploitation phase and enumerating the workstation for vulnerabilities weakness to elevate higher privilege access from zero to hero domain administrator privilege. There are different methodology and techniques to elevate privilege from windows environment, unpatched vulnerabilities, powershell, vulnerable services, pass the hash,  credential theft and the list goes on.

Let’s focus on how an attacker abuse exportable certificates and reuse the certificate for other malicious use cases.

Certificate authority  we replicated an exiting template and named it User_V2.

1

Figure 1  Notice Private Key is to be exported ticked.

 

Enabled Certificate Templates we created.

2

Figure 2 Published User/Workstation authentication template.

 

Group Policy change to enable automatic enrollment.

comes just after 2 with commens

Figure 3  PKI Group Policy created to allow AutoEnrollement to end user workstations.

Joined our target windows10 to the domain controller.

comes before 2

Figure 4 DESKTOP-BOB1 Windows 10 Joined to the domain controller and waiting for the certificate to be pushed to the user workstation upon first login.

 

Issued Certificates to workstations.

3

Figure 5 User/Machine certificate issued to newly joined window10 with the user ambient10 as low privileged user.

 

Next we check newly joined Windows 10 MMC console under the Personal  Certificate we see ambient10 user been issued a certificate.

4

Figure 6 We use export wizard to export the private key in PKCS12 PFX format.

 

Certificate Export Wizard.

5

Figure 7 we select the export private key from abmient10 user personal certificate

 

ExportPrivateKey certificate saved on the ambient10 user desktop.

6

Figure 8  private key saved on to the ambient user workstation desktop

 

Next we move the file to the c:\cert folder on the target workstation 192.168.1.73 for quick certificate transfer to our attacking machine.

7

Figure 9 from our lab kali machine we use mount -t cifs to mount the remote folder to our /mnt folder on our attacking machine with the user ambient10 credential.

 

Now that we have copy of the private key in pfx format we github crackpkcs12 source code here and compile it on our kali machine.  Crackpkcs12 -b  certificatefile.pfx or pkc12 format.

8

Figure 10  Successful Brute force attack and recovered the Password “123”

 

When was the last time did you review/audit your internal Certificate Authority published certificates ? Do you know if the keys are exportable?

 

 

ETERNALROMANCE/SYNERGY EXPLOITATION ON WINDOWS 2012R2

MS10-010 vulnerability patched by Microsoft affecting from windows 7 to a windows server 2016 (Eternalromance/synergy published by shadow brokers the exploits are very unstable if tried against the windows 2012, 2016 server causing 100% of the target machine BSOD

This is not a comprehensive article but we will demonstrate how we can leverage and make necessary changes to the Sleepys code and make minimal code change in order to obtain a privileged windows meterepreter reverse on the target system

Virtual Environment & prerequisites

Kali Ubuntu Machine  IP address 192.168.1.14

Python v.2.7

Ps1Encode   – Used to generate PowerShell metasploit types revershell

https://github.com/CroweCybersecurity/ps1encode

Windows Server 2012 R2 target IP   192.168.1.30 ( Not patched with MS17_010 )

Ok so without further ado let’s compromise windows 2012R2 server

The exploit has been published by sleepya https://www.exploit-db.com/exploits/42315/  the exploit is working properly without doing any modification if we execute the exploit against the windows 2012r2 server it will create a file  in C:\pawned.txt  on the target disk .

But you might already think hm but that doesn’t give me meterpreter shell on the target box , that’s very much true but we make couple of modification to get the desired shell

We now enabled guest account on our windows server R2 windows machine

guest-account

Figure 1  we set the authentication to “guest”  with minimal privilege

Parameters

The exploit code requires two parameters  the actual Target IP address windows server 2012R2 in our case and the PIPE name  – windows named pipe is not in the scope of this article. SMB protocol supports three different types of shares  File share which is a directory tree, Print: print share  which is access to print shares on the server,   PIPE inter communication between the process that uses FIFO model essentially first in first out  a.k.a  named pipes .

What other pipe types you can potentially exploits on a windows server box ?

  • Netlogon, samr, lsarpc,spoolss,browser

Ok it’s very straightforward to identify which named pipe are available on a target server – I wrote a python scrip which compares the UID to identify if the named pipe exist is so then just check access if allowed or denied

Script identify named pipes on the target windows server 2012 R2

named-pipes

Figure 2 allows identify named pipe Browser, Spools, Netlogon, LSARPC, SAMR

If we decide to execute the exploit it will create c:\\namlook.txt on the target .

2

Figure 3  executed code without reverse shell created c:\namlook.txt

Code snippet creates namlook.txt on the target server

1Figure 4 CreateFile function adds pwned.txt on the target server but no reverse shell code.

Executing code with our SCT reverse shell code ( SCT File Extension ) Windows script component

This is an affective approach to evade security controls using the SCT extension with embedded powershell reverse shell code. We wil l use PS1encode  that allows us to generate encoded metasploit codes in different/several format

Exploit Modification/Reverse shell

Executing code with our SCT reverse shell code ( SCT File Extension ) Windows script component. This is an affective approach to evade security controls using the SCT extension with embedded powershell reverse shell code. We wil l use PS1encode  that allows us to generate encoded metasploit codes in different/several format

We can download the ps1encode here  from github   https://github.com/CroweCybersecurity/ps1encode

SCT Reverse Shell code

3Figure 5 reverse shell code windows/meterepreter/reverse_tcp

Armed with .SCT reverse shell file we simply move the to our python web server on kali machine  /var/www/html  or any machine that can be reach from the target server. The idea is that when we execute the exploit against the target server to use regsvr32 (Microsoft Register Server) command line utility for registering and  DLLs in the windows registry

Reverse shell code

regsrc32-http-connection

Figure 6  – We modified code to execute our malicious revershell code .SCT  on our target machine

Meterpreter session

We now configrured the metasplot’s exploit/multi/handler to receive reverse shell

pingping

Figure 7 handler configured with windows/meterpreter/reverse_tcp

After executing modified MS17_010 exploit get clean meterpreter reverse shell

sysinfo

Figure 8 sysinfo with  NT/Authority priv ….

 

Go and patch please … https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Eternalblue, DoublePulsar NSA Exploit

This is going to be series of articles about building NSA/ShadowBrokers exploit kit . We will cover the followings  (Eternalblue, EternalRomance, DoublePulsar ) exploits against windows server 2003,2008,2012 and of course why not with 2016 J

 

I’m not going to cover the background history lessons here for more information, please read  here

Ok so eternalblue & externalromance are 2 fantastic bufferoverflow exploits that exploits SMBv1  in memmove operation Srv!SrvOs2FeaToNt. The size is calculated in Srv!SrvOs2FeaListSizeToNt with simple mathematical mists where a DWORD is substracted into a WORD . The kernel pool is groomed that overwrites an SMbv1 buffer. The actual Return address pointer (RIP) hijack is later completed in srvnet!SrvNetWskReveComplete.

We will not use NSA backdoor dll instead we generate our own DLL with MSFvenom  and execute against our target machine

 

Attacker IP 192.168.1.14 (Kali Linux)

Target IP   192.168.1.28 ( Lab domain joined Windows server 2008 r2 with Smbv1 unpatched)

Ok so i decided to port the NSA exploit kit on to my kali system

1

Figure  1 NSA exploit kit widows based to linux

2

Figure 2 exploit kit python fb.py  nice graphical NSA interface 🙂

3

Figure  3 Set target IP address 192.168.1.26 and Callback IP address 192.168.1.14

5

Figure 4 we use doublepulsar exploit to check if the system is already infected 🙂

6

Figure  5 we choice function backdoor and set path /tmp/win2008.bin shellcode to binary on the target system

7

Figure 6 final validation and we execute the exploit against 192.168.1.26

8

Figure 7 successful execution and shellcode is written to the output file

9

Figure 8 we use eternalblue SMBv1 exploit code and msfvenom reverse shell DLL to execute code on the target system

10

Figure 9 we select 1 tradtional exploit deploymenet using FUZZBUNCH NSA framework

12

Figure 10 we execute the eternalblue with our custom DLL

13

Figure 11 Recerse shell from 192.168.1.26 to our kali machine 192.168.1.26

 

So let’s  summarize

  • Smbv1 is bad and easy to exploit
  • The externalblue exploit runs with SYSTEM priv

ShadowBrokers Exploit Network Analysis

So I decided to spend some time investigate shadowBrokers EternalBlue exploit attack against windows on my favourite port TCP 445  and so I analysed 2 particular unique awesome remote execution exploits EternalRomance and DoublePulsar .

I personally find the NSA exploit naming convention absolutely/incredibly amazing

A bit of background history lesson

NSA has tons of money and best hackers out there ,yeah people hack for money and NSA willing to pay a lot for zero day exploits and hacking techniques but hey that’s how security industry work

EternalBlue is the a weaponised exploit kit with number of zero day exploit codes for windows/linux operating systems, one of the exploits EternalRomance is exactly the same as MS08-067 SMB exploit but the only difference is the year 2017 O.0

So we created wireshark PCAP(s)  and run EternalRomance exploit against unpatched windows system (successful compromise with NT/Authority System Level Privilege)  and second objective was to reconnect to the compromised system using (DoublePulsar) which is a very impressive backdoor listens on TCP 445 and RDP 3389 to connect back to the target machine ( EternalBlue installs DoublePulsar)

 

Eternal blue exploit documented here the exploit is against windows 7 unpatched windows system

One of the interesting observation we made is that when run the eternalblue exploit against unpatched windows 7 it sent a Trans2  stands for Transaction 2 Subcommand Extension (highlited in yellow)  This particular request is send just before the exploit is sent the intent/idea is to check if the target windows system already exploited or not .  The response from the system returns with  SESSION_SETUP, ERROR: STATUS_NOT_IMPLEMENTED however when we look at the packet we see the Multiplex ID is returned with 65 (0x41) for not compromised system and  Multiplex ID 81 for compromised infected system  .

Trans2 Request, SESSION_SETUP  Initial request
TCP-1
Figure 1 Transe Response SESSION_SETUP, Error: Status_NOT_IMPLEMNTED

BufferOverflow payload sent to target system

tcp-02
Figure 2 packet contains large number of buffer sent to  target windows server
smb.mid==65 (0x41) confirms Trans2 as initial check request

tcp-02-02

Figure 3  Trans2 request is sent to check if system infected or not
EternalBlue PCAP exploit network analysis
https://www.dropbox.com/s/dp64m5ay5xo75li/EternalBlue-Unpatched-Windows7-Exploit.pcap?dl=0
DoublePulsar PCAP exploit network analysis
https://www.dropbox.com/s/kujlk8p0oi7ych6/DoublePulsar-Exploit-mid-81.pcap?dl=0
  Wireshark filters

EternalBlue exploit  smb.mid == 65   ( Initial exploit)

DoublePulsar back door exploit smb.mid==81  ( Stealthy backdoor)

So we can conclude that the EternalBlue exploit used for initial bufferoveflow attack and foot hold on the network with NT/Authority SYSTEM privilege – highest privilege one can have and the DoublePulsar used for connecting back to the infected system

Mitigation

Go check your entire network and find all smbv1 and turn it off ( Smbv1 is bad)

DKIM Office 365 & DNS change GoDaddy :

Configuring DKIM  on Office 365 and GoDaddy

What is DKIM

DomainKeys Identified Mail is an email authentication method designed implemented to detect email spoofing . It enable the receiver to check that an email claamied to have cam e from a specific “domain “ for example how do you know if you received an email and it’s not spoofed?

It is intended to prevent forged sender address in emails, a very common and affective technique to harvest credentials or drop a malicious attached file to the target system

Read on phishing and email spam here

 

Ok so you bored by now and like to jump to configuration with Office 365 and your DNS provider?  Ok in my case I will be configuring Office 365 demo tenant I created for 30 day trail and my Go phishing service provider sorry I meant GoDaddy

Please note you should always use SPF/DMARC in addition to DKIM to prevent spoofers from sending you malicious emails looks like they are coming from your domain .

Does this sound complicated at all ? DKIM is simple especially with office 365 its almost no technical skill required but I still see people struggle with this concept

Step one 

Go to office 365 and exchange online protection and click DKIM ( By default the first DKIM and SPF already enabled for you but any other site you add you need to configure and enable dkim.

DKIM

1

Figure  1 DKIM configuration

If you decide to add new site In my example securesystem.co.uk is my domain and registered for office 365 domain demo tenant and now I want to enable  DKIM for www.securesystem.co.uk

Add your domain if and click on enable button  and you will get an error like this?

CNAME record does not exist for this config. Please publish the following two CNAME records first.

selector1-securesystem-co-uk._domainkey.securesystem1.onmicrosoft.com

selector2-securesystem-co-uk._domainkey.securesystem1.onmicrosoft.com

 

2

Figure 2 CNAME selectors for DKIM –

You need these selectors to be added to your external DNS service e.g Go Daddy or any other provider, it could be your own DNS service so that you can prove own the domain – I use Go Daddy because it’s cheap and easy to make dns changes

GoDaddy DNS portal

3-godaddy

Figure 3 add your selector1 to GoDaddy

 

Now we have configured the DNS and point CNAME to office 365 DKIM we test it by sending myself an email and capture the header

spf-signature

Figure 4 DLKIM header is pass and SPF already generated

Nslookup for testing ?

nslookup

Figure 4 nslookup with type=txt to check if DKIM work

Final word Remember Microsoft has the private key and you no longer have control of your own keys? Maybe secure maybe not but hey it’s easy to enable DKIM  J