Detectionhightest

Remove Exported Mailbox from Exchange Webserver

Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Christian Burkard (Nextron Systems)Created Fri Aug 27Updated Mon Jan 2309570ae5-889e-43ea-aac0-0e1221fb3d95windows

Log Source

Windowsmsexchange-management

ProductWindows← raw: windows

Servicemsexchange-management← raw: msexchange-management

Detection Logic

detection:
    keywords:
        '|all':
            - 'Remove-MailboxExportRequest'
            - ' -Identity '
            - ' -Confirm "False"'
    condition: keywords

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

github.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Techniques

T1070 · Indicator Removal

Rule Metadata

Rule ID

09570ae5-889e-43ea-aac0-0e1221fb3d95

Status

test

Level

high

Type

Detection

Created

Fri Aug 27

Modified

Mon Jan 23

Author

Christian Burkard (Nextron Systems)

Path

rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml

Raw Tags

attack.defense-evasionattack.t1070

View on GitHub