sigmahighHunting

Remove Exported Mailbox from Exchange Webserver

Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit

MITRE ATT&CK

defense-evasion

Detection Query

keywords:
  "|all":
    - Remove-MailboxExportRequest
    - " -Identity "
    - ' -Confirm "False"'
condition: keywords

Author

Christian Burkard (Nextron Systems)

Created

2021-08-27

Data Sources

windowsmsexchange-management

Platforms

windows

References

https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/modules/exploits/windows/http/exchange_proxyshell_rce.rb#L430

Tags

attack.defense-evasionattack.t1070

Raw Content

title: Remove Exported Mailbox from Exchange Webserver
id: 09570ae5-889e-43ea-aac0-0e1221fb3d95
status: test
description: Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit
references:
    - https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/modules/exploits/windows/http/exchange_proxyshell_rce.rb#L430
author: Christian Burkard (Nextron Systems)
date: 2021-08-27
modified: 2023-01-23
tags:
    - attack.defense-evasion
    - attack.t1070
logsource:
    service: msexchange-management
    product: windows
detection:
    keywords:
        '|all':
            - 'Remove-MailboxExportRequest'
            - ' -Identity '
            - ' -Confirm "False"'
    condition: keywords
falsepositives:
    - Unknown
level: high