sigmahighHunting

Exchange PowerShell Cmdlet History Deleted

Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence

MITRE ATT&CK

T1070

Detection Query

selection:
  TargetFilename|startswith: \Logging\CmdletInfra\LocalPowerShell\Cmdlet\
  TargetFilename|contains: _Cmdlet_
condition: selection

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2022-10-26

Data Sources

windowsfile_delete

Platforms

windows

References

https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/

Tags

attack.stealthattack.t1070

Raw Content

title: Exchange PowerShell Cmdlet History Deleted
id: a55349d8-9588-4c5a-8e3b-1925fe2a4ffe
status: test
description: Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence
references:
    - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-26
modified: 2022-12-30
tags:
    - attack.stealth
    - attack.t1070
logsource:
    category: file_delete
    product: windows
detection:
    selection:
        TargetFilename|startswith: '\Logging\CmdletInfra\LocalPowerShell\Cmdlet\'
        TargetFilename|contains: '_Cmdlet_'
    condition: selection
falsepositives:
    - Possible FP during log rotation
level: high