Exploiting Exchange PowerShell After ProxyNotShell: Part 3 – DLL Loading Chain for RCE

This report analyzes a local exploitation technique where the 'expand' utility is vulnerable to argument injection, allowing an attacker to bypass file-extension and path restrictions in a DumpDataReader workflow to extract and place a malicious DLL (FUSE.Paxos.dll). The write-primitive limitations are enumerated and then shown to be overcome by injecting flags (such as -i or -r) that nullify the -F filter, enabling arbitrary file extraction and facilitating DLL-based code execution.