Blue Team | Incident Response | PowerShell | Red Team | Splunk | Threat Hunting

Detect hidden inbox forward rule in On-Premise Exchange
ByKelvin Yip July 8, 2020April 1, 2024

In many of exchange email account compromise case investigation, attacker trends to add an inbox rule and forward victims’s email to an email account under attacker’s control. In order to make the victim(s) even harder to detect the forward rules, attacker use some more advance technique to hide the forward rules.
There are different research articles discussing hidden inbox forward rule on O365 including Compass Security, Matthew Green and GCITS. That’s why we will discuss it for On-Premise Exchange such as Exchange 2013, 2016 & 2019.

Read More Detect hidden inbox forward rule in On-Premise Exchange
Privileged Account Monitoring | Splunk

Monitor MSSQL authentication with Splunk
ByKelvin Yip July 8, 2020April 1, 2024

Some MSSQL instance by default using “Network Service” to start MSSQL service. It will automatically generate both successful and failure logon from this account. It is advise not to explicit grant database permission to this service account, and monitoring other privilege account with database access.

Read More Monitor MSSQL authentication with Splunk
Splunk

LAPS logging and Splunk
ByKelvin Yip July 8, 2020February 25, 2024

When I try to search it in Splunk, nothing comes out!! According to Splunk, Event Code 4662 is too noisy, and Splunk gives an example to filter all Event Code 4662. I realize I use the sample inputs.conf from Splunk. Below is snippet of default inputs.conf.

It took me a couple of days trying many combination of inputs.conf, and finally I figure out the correct syntax.

Read More LAPS logging and Splunk

Detect hidden inbox forward rule in On-Premise Exchange

Monitor MSSQL authentication with Splunk

LAPS logging and Splunk

Products

Services

Resources

Company