Exchange PowerShell Cmdlet History Deleted
Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence
Sigma rule (View on GitHub)
1title: Exchange PowerShell Cmdlet History Deleted
2id: a55349d8-9588-4c5a-8e3b-1925fe2a4ffe
3status: test
4description: Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence
5references:
6 - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022/10/26
9modified: 2022/12/30
10tags:
11 - attack.defense_evasion
12 - attack.t1070
13logsource:
14 category: file_delete
15 product: windows
16detection:
17 selection:
18 TargetFilename|startswith: '\Logging\CmdletInfra\LocalPowerShell\Cmdlet\'
19 TargetFilename|contains: '_Cmdlet_'
20 condition: selection
21falsepositives:
22 - Possible FP during log rotation
23level: high
References
-
This will be a high-level summary of the different logs that can be found on an On-Premises Exchange server, which can be useful during an IR. For each log, I’ll try to explain what we can ac…
Read More
Related rules
- SES Identity Has Been Deleted
- Disable of ETW Trace
- Disable of ETW Trace - Powershell
- DLL Load By System Process From Suspicious Locations
- Fsutil Suspicious Invocation