A few things from the @Volexity blog to highlight - if you're concerned about being impacted by Dark Halo (who used #SolarWindsOrion for access), it's probably worth a look at your Exchange servers. Check for weirdness in \\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth
Might also be worth checking for what devices can do an active sync - my read on this is that this allows adversaries to copy victim mailboxes to their devices. I'm thinking of this in the same vein as checking for email forwarding rules.
Yes, the adversaries cleaned up, but I think it's still worth a check. If you sent PowerShell logs from your Exchange server anywhere, those would make for some great hunts. Lots of ideas in the excellent blog. https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
You can follow @likethecoins.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
Those who think consciousness raising & movement building are disconnected, or even a distraction from electoral politics have not paid attention to the history of social change.In this thread, we
Read more
The 2020s will be known as the Remote Work decadeA few predictions of what is likely to emerge[ a thread ] Third Space: Office and Working from Home will
Read more
1/29: Have you ever had a concept explained to you that helps frame complex issues you’ve been wrestling with and opens your eyes to new possibilities? A concept that I
Read more
By continuing to use the site, you are consenting to the use of cookies as explained in our Cookie Policy to improve your experience.