Windows DNS analytical log Event Viewer EventID 261 first reply
| | | | |

Windows DNS logging

Preface Windows DNS logging is NOT our recommended method to collect DNS request and reply transaction for continuous security monitoring. However, sometimes we do not have an option, especially when Windows DNS debug/analytics log is the only available data source during IR investigation. In the first part of this post, we will discuss the Windows…

forward rules powershell IncludeHidden
| | | | |

Detect hidden inbox forward rule in On-Premise Exchange

In many of exchange email account compromise case investigation, attacker trends to add an inbox rule and forward victims’s email to an email account under attacker’s control. In order to make the victim(s) even harder to detect the forward rules, attacker use some more advance technique to hide the forward rules.
There are different research articles discussing hidden inbox forward rule on O365 including Compass Security, Matthew Green and GCITS. That’s why we will discuss it for On-Premise Exchange such as Exchange 2013, 2016 & 2019.

PowerShell Core pwsh encoded command
| | |

PowerShell Core Logging

Many security professionals know the importance of PowerShell logging. It give us great visibility for Incident Response and Threat Hunting process. FireEye wrote a great article about PowerShell logging here. As Microsoft already launch Power Shell Core, we also need to consider PowerShell Core (PowerShell 6/7) logging. As a side note, the executable name of PowerShell Core is pwsh.exe and therefore usually co-exists with the original powershell.exe executable. In reality, organizations are shifting more and more workload to cloud such as Azure. Both the developer and operation team trends to use more and more PowerShell to manage their cloud instance. I saw some developer and operation team install PowerShell Core on their own. This may be risky! So, I suggest we turn on the log before they install the tools.