id: 2e2fab4b-83dd-4cf8-b2dd-063d0fd15513
name: Host Exporting Mailbox and Removing Export
description: |
  'This hunting query looks for hosts exporting a mailbox from an on-prem Exchange server, followed by
  that same host removing the export within a short time window. This pattern has been observed by attackers 
  when exfiltrating emails from a target environment. A Mailbox export is unlikely to be a common command run so look for
  activity from unexpected hosts and accounts.
  Reference: https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/'
requiredDataConnectors:
  - connectorId: SecurityEvents
    dataTypes:
      - SecurityEvent
tactics:
  - Collection
relevantTechniques:
  - T1114
tags:
  - Solorigate
query: |

  // Adjust the timeframe to change the window events need to occur within to alert
  let timeframe = 1h;
  SecurityEvent
  | where Process in~ ("powershell.exe", "cmd.exe")
  | where CommandLine contains 'New-MailboxExportRequest'
  | summarize by Computer, timekey = bin(TimeGenerated, timeframe), CommandLine, SubjectUserName
  | join kind=inner (SecurityEvent
  | where Process in~ ("powershell.exe", "cmd.exe")
  | where CommandLine contains 'Remove-MailboxExportRequest'
  | summarize by Computer, timekey = bin(TimeGenerated, timeframe), CommandLine, SubjectUserName) on Computer, timekey, SubjectUserName
  | extend commands = pack_array(CommandLine1, CommandLine)
  | summarize by timekey, Computer, tostring(commands), SubjectUserName
  | project-reorder timekey, Computer, SubjectUserName, ['commands']
  | extend HostCustomEntity = Computer, AccountCustomEntity = SubjectUserName

entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: AccountCustomEntity
  - entityType: Host
    fieldMappings:
      - identifier: FullName
        columnName: HostCustomEntity