Keepnet Labs E-Mail Threat Simulator allows institutions to defend against major attack vectors. Especially in recent years, it has been observed that the number of target-oriented attacks has increased significantly. Generally, it was determined that the targets of the attacks were large corporations, government agencies and political organizations. The more information an organization has, the higher the likelihood of exposure to cyber attacks.
Despite the widespread use of email filters, the majority of attacks are still coming through e-mail. The poor configuration or poor implementation of these products can lead to false assumptions that you are safe. Keepnet Labs allows you to test these assumptions, see your security situation, and take steps to improve the vulnerabilities resulting from the e-mail.
Creating a Trusted Account for E-mail Security Tests
Keepnet Labs E-Mail Threat Simulator module details require a test account for making and reporting the tests listed here. This document contains sample configurations for making possible security and reliability checks with this test account.
The test account will only receive e-mail, and will not be able to send mail to any internal or external e-mail address except Keepnet Labs. This is a safe configuration option that will prevent potential violations.
Creating a Test Account
The test account required for operations can be created with Exchange Powershell using the following command:
The Exchange Management Shell is started with a user who has Organization Administration permissions.
New-Mailbox -UserPrincipalName “UserPrincipalName” -Alias “Mail Alias” -Name “Mailbox Account Name” -Database “Database Name” -OrganizationalUnit “<Organizational Unit>” -ResetPasswordOnNextLogon $false –password (ConvertTo-SecureString -String “Password” -AsPlainText -Force)
New-Mailbox -UserPrincipalName ets@yourdomain.com -Alias ets -Name ETS -Database PERDB -OrganizationalUnit OU=SNR,DC=keepnet,DC=aws -ResetPasswordOnNextLogon $false –password (ConvertTo-SecureString -String ‘StR0ngP@ssw0rd’ -AsPlainText -Force)
Restriction of the Authority of the Test Account
We can create a test account as a dummy user and make various restrictions in terms of using e-mail services. The following are examples of ways to restrict the ability to send and receive e-mail for a ştest account.
Restrict Email Address
To avoid sending emails to any internal or external e-mail address other than ets@keepnethood.com, you can apply the following configuration steps in order.
Login to https://ExchangeServer/ecp with Organization Admin authority. Go to Mail Flow> Rules and add a new rule from the plus sign. By giving the rule a name, the following rules apply:
In the “Apply this rule if” condition, “the sender is” is selected and added to the Test account.
In the “Do the following” action, the option “Delete the message without notifying anyone” is selected.
Click More Options to display the Exception field.
The “Except if” condition is activated by “The recipient> the address includes any of these words” and is saved by entering “ets@keepnethood.com” address.
Enable Mailbox Audit Logging for Test Account
The mailboxes that are created on the Exchange server have audit logs closed by default. To log all the processes that are created through the test account, the mailbox audit log on the test account can be enabled with the following command:
Set-Mailbox -Identity “<Test Account>” -AuditEnabled $true
Set-Mailbox -Identity “ETS Test Account” -AuditEnabled $true
The following command also enables mailbox audit logs on all mailboxes:
Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq “UserMailbox”} | Set-Mailbox -AuditEnabled $true
Mailbox Audit logs to be recorded on the log can be edited with the following command. Here, different parameters are activated for 3 different groups. Since the records to be activated for the owner groups will record user’s actions on his/her account, If not required, it may not be activated in order not to keep too much log. Admin and Delegate group event records can be activated and recorded on the authorized account on that mailbox.
Set-Mailbox -Identity “ETS Test Account” –AuditAdmin Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create –AuditDelegate Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create -AuditEnabled $true
By adding this command to the user creation procedure and after each created mail account, mailbox audit event records can be activated in each new mail account that is created automatically or manually.
Activating Admin Audit Event Logs
The following command can be run once to enable Admin Audit logs:
Set-AdminAuditLogConfig -AdminAuditLogEnabled $true -AdminAuditLogParameters * -AdminAuditLogCmdlets *
With the following command search can be made in the Admin Audit logs:
Search-AdminAuditLog
Search-Adminauditlog –cmdlets New-Sendconnector -startdate 04/20/2014 -enddate 5/5/2015
The following command will search for the parameters specified in Admin Audit Logs and mail the result to admin@yourdomain.com:
New-AdminAuditLogSearch -Name “Mailbox Quota Change Audit” -Cmdlets Set-Mailbox -Parameters UseDatabaseQuotaDefaults, ProhibitSendReceiveQuota, ProhibitSendQuota -StartDate 01/20/2017 -EndDate 05/05/2018 -StatusMailRecipients admin@yourdomain.com
“This post is originally published at www.keepnetlabs.com”
Teknoloji Haberleri
- NASA'dan 360 derecelik kara delik simülasyonu: Kara deliğe yaklaşırsanız...NASA, bir kara deliğe yaklaştığınızda çevrenizi nasıl göreceğinizi anlatan 360 derecelik, üç boyutlu bir video hazırladı. Ve bu videoyu izlemezseniz pişman olacağınızın garantisini kesinlikle verebiliriz...
- Apple'dan katlanabilir iPhone için yeni patentKatlanabilir telefonlar giderek daha fazla ilgi görüyor ama Apple bu konuda çok isteksiz davranarak hayranlarını üzüyor. Fakat şimdi ortaya çıkan yeni bir patent, Apple'ın gizli gizli ödevine çalıştığını gösteriyor.
- Lightning daha ölmedi: İşte halen Lightning kullanan son Apple cihazlarıApple, ürünlerinin tamamını USB-C'ye geçirmeye çalışsa da, bugün hala satışta olan ve Lightning kullanmaya devam eden bazı cihazlar var. İşte, muhtemelen Lightning bağlantısını kullanan son Apple cihazları...
- Dehşete düşüren bir dolandırıcılık: Ölen aile bireylerini klonlayan AI yaptılarHayatını kaybetmiş aile bireylerini taklit eden bir yapay zeka, insanları mutlu etmek yerine dehşete düşürüyor. Peki bu korkutucu öykü nasıl başladı; nelere sebep olabilir?
- Eski bir Nintendo prototipi, küçük bir servet karşılığında satışa çıktıJapon oyun devi Nintendo'nun 1980'lerde satışa sunduğu bir oyun cihazının üretim öncesi nadir prototiplerinden biri internet üzerinde açık artırmaya çıktı.