T1070.008: Clear Mailbox Data
Adversaries may modify mail and mail application data to remove evidence of their activity. Email applications allow users and other programs to export and delete mailbox data via command line tools or use of APIs. Mail application data can be emails, email metadata, or logs generated by the application or operating system, such as export requests.
Adversaries may manipulate emails and mailbox data to remove logs, artifacts, and metadata, such as evidence of Phishing/Internal Spearphishing, Email Collection, Mail Protocols for command and control, or email-based exfiltration such as Exfiltration Over Alternative Protocol. For example, to remove evidence on Exchange servers adversaries have used the ExchangePowerShell
PowerShell module, including Remove-MailboxExportRequest
to remove evidence of mailbox exports. On Linux and macOS, adversaries may also delete emails through a command line utility called mail
or use AppleScript to interact with APIs on macOS.
Adversaries may also remove emails and metadata/headers indicative of spam or suspicious activity (for example, through the use of organization-wide transport rules) to reduce the likelihood of malicious emails being detected by security products.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
mitre_attck_collection: PT-CR-494: PST_upload_via_Administrator_Exchange: Detection of attempts to download PST files via Exchange shell and delete information about it
Detection
ID | DS0022 | Data source and component | File: File Deletion | Description | Monitor for deletion of generated artifacts on a host system, including logs or captured files such as quarantined emails. On Windows 10, mail application data is stored in |
---|
ID | DS0015 | Data source and component | Application Log: Application Log Content | Description | In environments using Exchange, monitor logs for the creation or modification of mail processing settings, such as transport rules. |
---|
ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor for newly executed processes with arguments that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined emails. |
---|
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined emails. In Exchange environments, monitor for PowerShell cmdlets that may create or alter transport rules, such as |
---|
ID | DS0022 | Data source and component | File: File Modification | Description | Monitor for changes made to generated artifacts on a host system, including logs or captured files such as quarantined emails. On Windows 10, mail application data is stored in |
---|
Mitigation
ID | M1022 | Name | Restrict File and Directory Permissions | Description | Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities. |
---|
ID | M1047 | Name | Audit | Description | In an Exchange environment, Administrators can use |
---|
ID | M1029 | Name | Remote Data Storage | Description | Automatically forward mail data and events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system. |
---|