Remove Exported Mailbox from Exchange Webserver

 1title: Remove Exported Mailbox from Exchange Webserver
 2id: 09570ae5-889e-43ea-aac0-0e1221fb3d95
 3status: test
 4description: Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit
 5references:
 6    - https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/modules/exploits/windows/http/exchange_proxyshell_rce.rb#L430
 7author: Christian Burkard (Nextron Systems)
 8date: 2021-08-27
 9modified: 2023-01-23
10tags:
11    - attack.defense-evasion
12    - attack.t1070
13logsource:
14    service: msexchange-management
15    product: windows
16detection:
17    keywords:
18        '|all':
19            - 'Remove-MailboxExportRequest'
20            - ' -Identity '
21            - ' -Confirm "False"'
22    condition: keywords
23falsepositives:
24    - Unknown
25level: high

References

• metasploit-framework/modules/exploits/windows/http/exchange_proxyshell_rce.rb at 1416b5776d963f21b7b5b45d19f3e961201e0aed · rapid7/metasploit-framework

  

  Metasploit Framework. Contribute to rapid7/metasploit-framework development by creating an account on GitHub.

  
  Read More

Related rules

• Clearing Windows Console History
• DLL Load By System Process From Suspicious Locations
• Disable of ETW Trace - Powershell
• ETW Trace Evasion Activity
• EventLog EVTX File Deleted