Indicator Removal: Очистка почтового ящика
Other sub-techniques of Indicator Removal (10)
Adversaries may modify mail and mail application data to remove evidence of their activity. Email applications allow users and other programs to export and delete mailbox data via command line tools or use of APIs. Mail application data can be emails, email metadata, or logs generated by the application or operating system, such as export requests.
Adversaries may manipulate emails and mailbox data to remove logs, artifacts, and metadata, such as evidence of Phishing/Internal Spearphishing, Email Collection, Mail Protocols for command and control, or email-based exfiltration such as Exfiltration Over Alternative Protocol. For example, to remove evidence on Exchange servers adversaries have used the ExchangePowerShell PowerShell module, including Remove-MailboxExportRequest to remove evidence of mailbox exports.(Citation: Volexity SolarWinds)(Citation: ExchangePowerShell Module) On Linux and macOS, adversaries may also delete emails through a command line utility called mail or use AppleScript to interact with APIs on macOS.(Citation: Cybereason Cobalt Kitty 2017)(Citation: mailx man page)
Adversaries may also remove emails and metadata/headers indicative of spam or suspicious activity (for example, through the use of organization-wide transport rules) to reduce the likelihood of malicious emails being detected by security products.(Citation: Microsoft OAuth Spam 2022)
Примеры процедур |
|
| Название | Описание |
|---|---|
| LunarMail |
LunarMail can set the `PR_DELETE_AFTER_SUBMIT` flag to delete messages sent for data exfiltration.(Citation: ESET Turla Lunar toolset May 2024) |
| APT29 |
APT29 removed evidence of email export requests using |
| Goopy |
Goopy has the ability to delete emails used for C2 once the content has been copied.(Citation: Cybereason Cobalt Kitty 2017) |
|
During the SolarWinds Compromise, APT29 removed evidence of email export requests using `Remove-MailboxExportRequest`.(Citation: Volexity SolarWinds) |
|
Контрмеры |
|
| Контрмера | Описание |
|---|---|
| Restrict File and Directory Permissions |
Restrict access by setting directory and file permissions that are not specific to users or privileged accounts. |
| Audit |
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. |
| Remote Data Storage |
Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information. |
Ссылки
- Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.
- Microsoft. (2023, September 22). Malicious OAuth applications abuse cloud email services to spread spam. Retrieved March 13, 2023.
- Microsoft. (2017, September 25). ExchangePowerShell. Retrieved June 10, 2022.
- Michael Kerrisk. (2021, August 27). mailx(1p) — Linux manual page. Retrieved June 10, 2022.
- Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
- Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024.
- Microsoft. (2023, February 22). Manage mail flow rules in Exchange Online. Retrieved March 13, 2023.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.