Azure-Sentinel/Hunting Queries/SecurityEvent/HostExportingMailboxAndRemo...

id: 2e2fab4b-83dd-4cf8-b2dd-063d0fd15513
name: Host Exporting Mailbox and Removing Export
description: |
  'This hunting query looks for hosts exporting a mailbox from an on-prem Exchange server, followed by
  that same host removing the export within a short time window. This pattern has been observed by attackers 
  when exfiltrating emails from a target environment. A Mailbox export is unlikely to be a common command run so look for
  activity from unexpected hosts and accounts.
  Reference: https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/'
requiredDataConnectors:
  - connectorId: SecurityEvents
    dataTypes:
      - SecurityEvent
tactics:
  - Collection
relevantTechniques:
  - T1114
tags:
  - Solorigate
  - NOBELIUM
query: |

  // Adjust the timeframe to change the window events need to occur within to alert
  let timeframe = 1h;
  SecurityEvent
  | where EventID == 4688
  | where Process in~ ("powershell.exe", "cmd.exe")
  | where CommandLine contains 'New-MailboxExportRequest'
  | summarize by Computer, timekey = bin(TimeGenerated, timeframe), CommandLine, SubjectUserName
  | join kind=inner (SecurityEvent
  | where EventID == 4688
  | where Process in~ ("powershell.exe", "cmd.exe")
  | where CommandLine contains 'Remove-MailboxExportRequest'
  | summarize by Computer, timekey = bin(TimeGenerated, timeframe), CommandLine, SubjectUserName) on Computer, timekey, SubjectUserName
  | extend commands = pack_array(CommandLine1, CommandLine)
  | summarize by timekey, Computer, tostring(commands), SubjectUserName
  | project-reorder timekey, Computer, SubjectUserName, ['commands']
  | extend HostCustomEntity = Computer, AccountCustomEntity = SubjectUserName

entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: AccountCustomEntity
  - entityType: Host
    fieldMappings:
      - identifier: FullName
        columnName: HostCustomEntity
New queries and some fixes 2020-12-19 20:31:36 +03:00			`id: 2e2fab4b-83dd-4cf8-b2dd-063d0fd15513`
			`name: Host Exporting Mailbox and Removing Export`
			`description: \|`
			`'This hunting query looks for hosts exporting a mailbox from an on-prem Exchange server, followed by`
			`that same host removing the export within a short time window. This pattern has been observed by attackers`
			`when exfiltrating emails from a target environment. A Mailbox export is unlikely to be a common command run so look for`
			`activity from unexpected hosts and accounts.`
			`Reference: https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/'`
			`requiredDataConnectors:`
			`- connectorId: SecurityEvents`
			`dataTypes:`
			`- SecurityEvent`
			`tactics:`
			`- Collection`
			`relevantTechniques:`
			`- T1114`
adding tags 2021-01-16 04:26:22 +03:00			`tags:`
			`- Solorigate`
capitalize for consistency 2021-03-04 21:54:36 +03:00			`- NOBELIUM`
New queries and some fixes 2020-12-19 20:31:36 +03:00			`query: \|`

			`// Adjust the timeframe to change the window events need to occur within to alert`
			`let timeframe = 1h;`
			`SecurityEvent`
Update HostExportingMailboxAndRemovingExport.yaml Adding Event filter in that was missing 2021-01-21 21:39:58 +03:00			`\| where EventID == 4688`
Fixing up syntax and change from contains to has, along with in~ 2020-12-19 21:43:47 +03:00			`\| where Process in~ ("powershell.exe", "cmd.exe")`
New queries and some fixes 2020-12-19 20:31:36 +03:00			`\| where CommandLine contains 'New-MailboxExportRequest'`
			`\| summarize by Computer, timekey = bin(TimeGenerated, timeframe), CommandLine, SubjectUserName`
			`\| join kind=inner (SecurityEvent`
Update HostExportingMailboxAndRemovingExport.yaml Adding Event filter in that was missing 2021-01-21 21:39:58 +03:00			`\| where EventID == 4688`
Fixing up syntax and change from contains to has, along with in~ 2020-12-19 21:43:47 +03:00			`\| where Process in~ ("powershell.exe", "cmd.exe")`
New queries and some fixes 2020-12-19 20:31:36 +03:00			`\| where CommandLine contains 'Remove-MailboxExportRequest'`
			`\| summarize by Computer, timekey = bin(TimeGenerated, timeframe), CommandLine, SubjectUserName) on Computer, timekey, SubjectUserName`
			`\| extend commands = pack_array(CommandLine1, CommandLine)`
			`\| summarize by timekey, Computer, tostring(commands), SubjectUserName`
			`\| project-reorder timekey, Computer, SubjectUserName, ['commands']`
			`\| extend HostCustomEntity = Computer, AccountCustomEntity = SubjectUserName`

			`entityMappings:`
			`- entityType: Account`
			`fieldMappings:`
			`- identifier: FullName`
			`columnName: AccountCustomEntity`
			`- entityType: Host`
			`fieldMappings:`
			`- identifier: FullName`
Update HostExportingMailboxAndRemovingExport.yaml Adding Event filter in that was missing 2021-01-21 21:39:58 +03:00			`columnName: HostCustomEntity`