44 строки
1.9 KiB
YAML
44 строки
1.9 KiB
YAML
id: 2e2fab4b-83dd-4cf8-b2dd-063d0fd15513
|
|
name: Host Exporting Mailbox and Removing Export
|
|
description: |
|
|
'This hunting query looks for hosts exporting a mailbox from an on-prem Exchange server, followed by
|
|
that same host removing the export within a short time window. This pattern has been observed by attackers
|
|
when exfiltrating emails from a target environment. A Mailbox export is unlikely to be a common command run so look for
|
|
activity from unexpected hosts and accounts.
|
|
Reference: https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/'
|
|
requiredDataConnectors:
|
|
- connectorId: SecurityEvents
|
|
dataTypes:
|
|
- SecurityEvent
|
|
tactics:
|
|
- Collection
|
|
relevantTechniques:
|
|
- T1114
|
|
tags:
|
|
- Solorigate
|
|
query: |
|
|
|
|
// Adjust the timeframe to change the window events need to occur within to alert
|
|
let timeframe = 1h;
|
|
SecurityEvent
|
|
| where Process in~ ("powershell.exe", "cmd.exe")
|
|
| where CommandLine contains 'New-MailboxExportRequest'
|
|
| summarize by Computer, timekey = bin(TimeGenerated, timeframe), CommandLine, SubjectUserName
|
|
| join kind=inner (SecurityEvent
|
|
| where Process in~ ("powershell.exe", "cmd.exe")
|
|
| where CommandLine contains 'Remove-MailboxExportRequest'
|
|
| summarize by Computer, timekey = bin(TimeGenerated, timeframe), CommandLine, SubjectUserName) on Computer, timekey, SubjectUserName
|
|
| extend commands = pack_array(CommandLine1, CommandLine)
|
|
| summarize by timekey, Computer, tostring(commands), SubjectUserName
|
|
| project-reorder timekey, Computer, SubjectUserName, ['commands']
|
|
| extend HostCustomEntity = Computer, AccountCustomEntity = SubjectUserName
|
|
|
|
entityMappings:
|
|
- entityType: Account
|
|
fieldMappings:
|
|
- identifier: FullName
|
|
columnName: AccountCustomEntity
|
|
- entityType: Host
|
|
fieldMappings:
|
|
- identifier: FullName
|
|
columnName: HostCustomEntity |