← Back to Explore
sigmahighHunting
Exchange PowerShell Cmdlet History Deleted
Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence
Detection Query
selection:
TargetFilename|startswith: \Logging\CmdletInfra\LocalPowerShell\Cmdlet\
TargetFilename|contains: _Cmdlet_
condition: selection
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2022-10-26
Data Sources
windowsfile_delete
Platforms
windows
Tags
attack.defense-evasionattack.t1070
Raw Content
title: Exchange PowerShell Cmdlet History Deleted
id: a55349d8-9588-4c5a-8e3b-1925fe2a4ffe
status: test
description: Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence
references:
- https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-26
modified: 2022-12-30
tags:
- attack.defense-evasion
- attack.t1070
logsource:
category: file_delete
product: windows
detection:
selection:
TargetFilename|startswith: '\Logging\CmdletInfra\LocalPowerShell\Cmdlet\'
TargetFilename|contains: '_Cmdlet_'
condition: selection
falsepositives:
- Possible FP during log rotation
level: high