Remove Exported Mailbox from Exchange Webserver
Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit
Sigma rule (View on GitHub)
1title: Remove Exported Mailbox from Exchange Webserver
2id: 09570ae5-889e-43ea-aac0-0e1221fb3d95
3status: test
4description: Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit
5references:
6 - https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/modules/exploits/windows/http/exchange_proxyshell_rce.rb#L430
7author: Christian Burkard (Nextron Systems)
8date: 2021/08/27
9modified: 2023/01/23
10tags:
11 - attack.defense_evasion
12 - attack.t1070
13logsource:
14 service: msexchange-management
15 product: windows
16detection:
17 keywords:
18 '|all':
19 - 'Remove-MailboxExportRequest'
20 - ' -Identity '
21 - ' -Confirm "False"'
22 condition: keywords
23falsepositives:
24 - Unknown
25level: high
References
Related rules
- Clearing Windows Console History
- Event Log Manipulation Using Wevtutil
- Application Whitelisting Bypass via Dxcap.exe
- Base64 Encoded PowerShell Command Detected
- Flash Player Update from Suspicious Location