Windows DNS logging
| | | | |

Windows DNS logging

Preface Windows DNS logging is NOT our recommended method to collect DNS request and reply transaction for continuous security monitoring. However, sometimes we do not have an option, especially when Windows DNS debug/analytics log is the only available data source during IR investigation. In the first part of this post, we will discuss the Windows…

Detect hidden inbox forward rule in On-Premise Exchange
| | | | |

Detect hidden inbox forward rule in On-Premise Exchange

In many of exchange email account compromise case investigation, attacker trends to add an inbox rule and forward victims’s email to an email account under attacker’s control. In order to make the victim(s) even harder to detect the forward rules, attacker use some more advance technique to hide the forward rules.
There are different research articles discussing hidden inbox forward rule on O365 including Compass Security, Matthew Green and GCITS. That’s why we will discuss it for On-Premise Exchange such as Exchange 2013, 2016 & 2019.