Automatically generated based on tag:

TitleTypeSummaryLocation
Microsoft Exchange Page Microsoft Exchange is a complex mail server ecosystem, running exclusively on the Windows operating system. Microsoft Exchange logs telemetry and events in various text-based log files (100+) and EVTX event logs (40+).

The following sources of logs can be of forensics interest to investigate the compromise of a Microsoft Exchange server or account:
- Exchange IIS logs, that contain information on the HTTP requests made to the various Exchange HTTP web services.
- EVTX event logs, of Exchange ETW channels (such as the "MSExchange Management" channel), and of other providers depending on the Exchange server Windows logging configuration.
- 20+ text-based log files, each associated with a given Exchange service.
Exchange IIS logs:
%SystemDrive%\inetpub\logs\LogFiles\W3SVC1 and W3SVC2 folders.

ETW channels:
MSExchange Management, for usage of cmdlets from the ExchangePowerShell module (that interact with the Exchange Web Services API).
Microsoft-Windows-Windows Defender/Operational, events 1006 / 1116 and 1007 / 1117, for detections of suspicious behavior related to Exchange.
Security event 4688, if "Audit Process Creation" is enabled, to identity suspicious process spawned by the Exchange IIS process.

Exchange components (EWS, ECP, OWA, ExchangePowerShell, ActiveSync, MAPI, etc.) text-based logs:
%SystemDrive%\Program Files\Microsoft\Exchange Server\V15\Logging and TransportRoles folders.
SMTP email headers Page An email object contains an envelope and a content. The envelope is the information that the email client and server use to send the email to the correct recipient(s). The email content is composed of the header section and the email body.

A number of email envelope and content headers are common / mandatory for the email lifecycle, and some headers can be of precious forensics value. Additionally, some headers are linked to optional security mechanisms (SPF, DKIM, and DMARC) that can help detect illegitimate / spoofed emails.
Email sender: Return-Path, From, and Reply-To headers. The Return-Path header can be protected against spoofing with SPF. The From header can be protected using DMARC (with SPF and / or DKIM).

Originating server and MTA: Received header(s).

Email legitimacy and anti-spoofing mechanisms, with associated headers:

SPF: validate that the originating server is authorized to send emails for the sender domain.

DKIM header: digitally sign (part of) the email using a public key associated with the sender domain.

DMARC: extends SPF and DKIM by indicating to the receiver the actions to follow (block the email and notify an alerting address for example) if receiving an email with no or a failed SPK / DKIM authentication. Additionally, DMARC check the consistency of the domains from the "From" header, the DKIM signature, and the SMTP "MAIL FROM" command.


View on GitHub