Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Technique Clear Mailbox Data
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
RU
Риски
Каталоги
MITRE ATT&CK
Техника
Clear Mailbox Data
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Indicator Removal:  Clear Mailbox Data

ID Name
.001 Clear Windows Event Logs
.002 Clear Linux or Mac System Logs
.003 Clear Command History
.004 File Deletion
.005 Network Share Connection Removal
.006 Timestomp
.007 Clear Network Connection History and Configurations
.008 Clear Mailbox Data
.009 Clear Persistence

Adversaries may modify mail application data to remove evidence of their activity. Email applications allow users and other programs to export and delete mailbox data via command line tools or use of APIs. Mail application data can be emails or logs generated by the application or operating system, such as export requests. Adversaries may manipulate email mailbox data to remove logs and artifacts, such as evidence of Phishing/Internal Spearphishing, Email Collection, Mail Protocols for command and control, or email-based exfiltration such as Exfiltration Over Alternative Protocol. For example, to remove evidence on Exchange servers adversaries have used the ExchangePowerShell PowerShell module, including Remove-MailboxExportRequest to remove evidence of mailbox exports.(Citation: Volexity SolarWinds)(Citation: ExchangePowerShell Module) On Linux and macOS, adversaries may also delete emails through a command line utility called mail or use AppleScript to interact with APIs on macOS.(Citation: Cybereason Cobalt Kitty 2017)(Citation: mailx man page)

ID: T1070.008
Sub-technique of:  T1070
Tactic(s): Defense Evasion
Platforms: Google Workspace, Linux, macOS, Office 365, Windows
Data Sources: Command: Command Execution, File: File Deletion, File: File Modification, Process: Process Creation
Version: 1.0
Created: 08 Jul 2022
Last Modified: 17 Oct 2022

Procedure Examples
Name Description
APT29

APT29 removed evidence of email export requests using Remove-MailboxExportRequest.(Citation: Volexity SolarWinds)
Goopy

Goopy has the ability to delete emails used for C2 once the content has been copied.(Citation: Cybereason Cobalt Kitty 2017)

Mitigations
Mitigation Description
Restrict File and Directory Permissions

Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.
Remote Data Storage

Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.

References

  1. Microsoft. (2017, September 25). ExchangePowerShell. Retrieved June 10, 2022.
  2. Michael Kerrisk. (2021, August 27). mailx(1p) — Linux manual page. Retrieved June 10, 2022.
  3. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  4. Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.