MaxPatrol SIEM

Detects cyberincidents that undermine cyber resilience of a company

T1070.008: Clear Mailbox Data

Adversaries may modify mail and mail application data to remove evidence of their activity. Email applications allow users and other programs to export and delete mailbox data via command line tools or use of APIs. Mail application data can be emails, email metadata, or logs generated by the application or operating system, such as export requests.

Adversaries may manipulate emails and mailbox data to remove logs, artifacts, and metadata, such as evidence of Phishing/Internal Spearphishing, Email Collection, Mail Protocols for command and control, or email-based exfiltration such as Exfiltration Over Alternative Protocol. For example, to remove evidence on Exchange servers adversaries have used the ExchangePowerShell PowerShell module, including Remove-MailboxExportRequest to remove evidence of mailbox exports. On Linux and macOS, adversaries may also delete emails through a command line utility called mail or use AppleScript to interact with APIs on macOS.

Adversaries may also remove emails and metadata/headers indicative of spam or suspicious activity (for example, through the use of organization-wide transport rules) to reduce the likelihood of malicious emails being detected by security products.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_collection: PT-CR-494: PST_upload_via_Administrator_Exchange: Detection of attempts to download PST files via Exchange shell and delete information about it

Detection

IDDS0022Data source and componentFile: File DeletionDescription

Monitor for deletion of generated artifacts on a host system, including logs or captured files such as quarantined emails.

On Windows 10, mail application data is stored in C:\Users\Username\AppData\Local\Comms\Unistore\data. On Linux, mail data is stored in /var/spool/mail or /var/mail. On macOS, mail data is stored in ~/Library/Mail.

IDDS0015Data source and componentApplication Log: Application Log ContentDescription

In environments using Exchange, monitor logs for the creation or modification of mail processing settings, such as transport rules.

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor for newly executed processes with arguments that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined emails.

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined emails. In Exchange environments, monitor for PowerShell cmdlets that may create or alter transport rules, such as New-TransportRule and Set-TransportRule.

IDDS0022Data source and componentFile: File ModificationDescription

Monitor for changes made to generated artifacts on a host system, including logs or captured files such as quarantined emails.

On Windows 10, mail application data is stored in C:\Users\Username\AppData\Local\Comms\Unistore\data. On Linux, mail data is stored in /var/spool/mail or /var/mail. On macOS, mail data is stored in ~/Library/Mail.

Mitigation

IDM1022NameRestrict File and Directory PermissionsDescription

Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities.

IDM1047NameAuditDescription

In an Exchange environment, Administrators can use Get-TransportRule / Remove-TransportRule to discover and remove potentially malicious transport rules.

IDM1029NameRemote Data StorageDescription

Automatically forward mail data and events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system.