Blue Team | Incident Response | PowerShell | Red Team | Splunk | Threat Hunting

Detect hidden inbox forward rule in On-Premise Exchange
ByKelvin Yip 2020-07-082024-04-01

In many of exchange email account compromise case investigation, attacker trends to add an inbox rule and forward victims’s email to an email account under attacker’s control. In order to make the victim(s) even harder to detect the forward rules, attacker use some more advance technique to hide the forward rules.
There are different research articles discussing hidden inbox forward rule on O365 including Compass Security, Matthew Green and GCITS. That’s why we will discuss it for On-Premise Exchange such as Exchange 2013, 2016 & 2019.

閱讀更多 Detect hidden inbox forward rule in On-Premise Exchange
Privileged Account Monitoring | Splunk

Monitor MSSQL authentication with Splunk
ByKelvin Yip 2020-07-082024-04-01

Some MSSQL instance by default using “Network Service” to start MSSQL service. It will automatically generate both successful and failure logon from this account. It is advise not to explicit grant database permission to this service account, and monitoring other privilege account with database access.

閱讀更多 Monitor MSSQL authentication with Splunk
Splunk

LAPS logging and Splunk
ByKelvin Yip 2020-07-082024-02-25

When I try to search it in Splunk, nothing comes out!! According to Splunk, Event Code 4662 is too noisy, and Splunk gives an example to filter all Event Code 4662. I realize I use the sample inputs.conf from Splunk. Below is snippet of default inputs.conf.

It took me a couple of days trying many combination of inputs.conf, and finally I figure out the correct syntax.

閱讀更多 LAPS logging and Splunk

Detect hidden inbox forward rule in On-Premise Exchange

Monitor MSSQL authentication with Splunk

LAPS logging and Splunk

產品

服務

資源

公司資訊