Share via

Exchange 2013 Get-ServerHealth cmdlet triggers New-AcceptedDomain cmdlet

Joseph Liu 1 Reputation point
2022-01-20T07:55:55.767+00:00

Our Exchange team recently issue Get-ServerHealth and Get-Messagetrackinglog cmdlets but triggers our SOC to issue Solarigate attack alert to us saying that someone has issued one of the following commands.

 Add-FederatedDomain
 New-AcceptedDomain
 Remove-AcceptedDomain
 Remove-FederatedDomain
 Set-AcceptedDomain

We can repeat the same flow by issuing the Get-ServerHealth and Get-Messagetrackinglog cmdlets again.

One thing I don't understand is that why Get-ServerHealth and Get-Messagetrackinglog cmdlets will trigger one of the above xxxDomain cmdlets. Do anybody know the reason?

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,427 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andy David - MVP 143.6K Reputation points MVP
    2022-01-20T11:52:10.423+00:00

    Who issues those commands exactly? I ran those two commands (Get-ServerHealth and Get-Messagetrackinglog ) and then checked the admin audit log and I see no entries for any of those:

    Add-FederatedDomain
     New-AcceptedDomain
     Remove-AcceptedDomain
     Remove-FederatedDomain
     Set-AcceptedDomain

    1 person found this answer helpful.
    0 comments