Create General attempts to access local email store.md
This commit is contained in:
dreadphones
GitHub
Родитель
90d2985f44
Коммит
f98ee7bc50
|
|
@ -0,0 +1,39 @@
|
|||
# General attempts to access local email store
|
||||
|
||||
|
||||
## Query
|
||||
Use this query to find attempts to access files in the local path containing Outlook emails.
|
||||
```
|
||||
DeviceFileEvents
|
||||
| where FolderPath hasprefix "EmailStorage"
|
||||
| where FolderPath has "Outlook"
|
||||
| project FileName, FolderPath, InitiatingProcessFileName,
|
||||
InitiatingProcessCommandLine, DeviceId, Timestamp
|
||||
```
|
||||
|
||||
## Category
|
||||
|
||||
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
|
||||
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|
||||
|------------------------|----------|-------|
|
||||
| Initial access | | |
|
||||
| Execution | | |
|
||||
| Persistence | | |
|
||||
| Privilege escalation | | |
|
||||
| Defense evasion | | |
|
||||
| Credential Access | | |
|
||||
| Discovery | | |
|
||||
| Lateral movement | | |
|
||||
| Collection | v | |
|
||||
| Command and control | | |
|
||||
| Exfiltration | | |
|
||||
| Impact | | |
|
||||
| Vulnerability | | |
|
||||
| Exploit | | |
|
||||
| Misconfiguration | | |
|
||||
| Malware, component | | |
|
||||
| Ransomware | | |
|
||||
|
||||
## Contributor info
|
||||
|
||||
**Contributor:** Microsoft 365 Defender team
|
||||
Загрузка…
Ссылка в новой задаче