Detectionhightest

Exchange PowerShell Cmdlet History Deleted

Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems)Created Wed Oct 26Updated Fri Dec 30a55349d8-9588-4c5a-8e3b-1925fe2a4ffewindows

Log Source

WindowsFile Delete

ProductWindows← raw: windows

CategoryFile Delete← raw: file_delete

Detection Logic

detection:
    selection:
        TargetFilename|startswith: '\Logging\CmdletInfra\LocalPowerShell\Cmdlet\'
        TargetFilename|contains: '_Cmdlet_'
    condition: selection

False Positives

Possible FP during log rotation

References

Resolving title…

m365internals.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Techniques

T1070 · Indicator Removal

Rule Metadata

Rule ID

a55349d8-9588-4c5a-8e3b-1925fe2a4ffe

Status

test

Level

high

Type

Detection

Created

Wed Oct 26

Modified

Fri Dec 30

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules/windows/file/file_delete/file_delete_win_delete_exchange_powershell_logs.yml

Raw Tags

attack.defense-evasionattack.t1070

View on GitHub