Remove Exported Mailbox from Exchange Webserver

Feb 1, 2023 · attack.defense_evasion attack.t1070 ·

Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit

Sigma rule (View on GitHub)

 1title: Remove Exported Mailbox from Exchange Webserver
 2id: 09570ae5-889e-43ea-aac0-0e1221fb3d95
 3status: test
 4description: Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit
 5references:
 6    - https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/modules/exploits/windows/http/exchange_proxyshell_rce.rb#L430
 7author: Christian Burkard (Nextron Systems)
 8date: 2021/08/27
 9modified: 2023/01/23
10tags:
11    - attack.defense_evasion
12    - attack.t1070
13logsource:
14    service: msexchange-management
15    product: windows
16detection:
17    keywords:
18        '|all':
19            - 'Remove-MailboxExportRequest'
20            - ' -Identity '
21            - ' -Confirm "False"'
22    condition: keywords
23falsepositives:
24    - Unknown
25level: high

References

metasploit-framework/modules/exploits/windows/http/exchange_proxyshell_rce.rb at 1416b5776d963f21b7b5b45d19f3e961201e0aed · rapid7/metasploit-framework

Metasploit Framework. Contribute to rapid7/metasploit-framework development by creating an account on GitHub.

Read More

Remove Exported Mailbox from Exchange Webserver

Sigma rule (View on GitHub)

References

metasploit-framework/modules/exploits/windows/http/exchange_proxyshell_rce.rb at 1416b5776d963f21b7b5b45d19f3e961201e0aed · rapid7/metasploit-framework

Related rules