Indicator Removal: Очистка почтового ящика
Other sub-techniques of Indicator Removal (9)
Adversaries may modify mail application data to remove evidence of their activity. Email applications allow users and other programs to export and delete mailbox data via command line tools or use of APIs. Mail application data can be emails or logs generated by the application or operating system, such as export requests.
Adversaries may manipulate email mailbox data to remove logs and artifacts, such as evidence of Phishing/Internal Spearphishing, Email Collection, Mail Protocols for command and control, or email-based exfiltration such as Exfiltration Over Alternative Protocol. For example, to remove evidence on Exchange servers adversaries have used the ExchangePowerShell
PowerShell module, including Remove-MailboxExportRequest
to remove evidence of mailbox exports.(Citation: Volexity SolarWinds)(Citation: ExchangePowerShell Module) On Linux and macOS, adversaries may also delete emails through a command line utility called mail
or use AppleScript to interact with APIs on macOS.(Citation: Cybereason Cobalt Kitty 2017)(Citation: mailx man page)
Примеры процедур |
|
Название | Описание |
---|---|
APT29 |
APT29 removed evidence of email export requests using |
Goopy |
Goopy has the ability to delete emails used for C2 once the content has been copied.(Citation: Cybereason Cobalt Kitty 2017) |
Контрмеры |
|
Контрмера | Описание |
---|---|
Restrict File and Directory Permissions |
Restrict access by setting directory and file permissions that are not specific to users or privileged accounts. |
Remote Data Storage |
Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information. |
Ссылки
- Microsoft. (2017, September 25). ExchangePowerShell. Retrieved June 10, 2022.
- Michael Kerrisk. (2021, August 27). mailx(1p) — Linux manual page. Retrieved June 10, 2022.
- Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
- Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.