T1070.008 Clear Mailbox Data
Adversaries may modify mail and mail application data to remove evidence of their activity. Email applications allow users and other programs to export and delete mailbox data via command line tools or use of APIs. Mail application data can be emails, email metadata, or logs generated by the application or operating system, such as export requests.
Adversaries may manipulate emails and mailbox data to remove logs, artifacts, and metadata, such as evidence of Phishing/Internal Spearphishing, Email Collection, Mail Protocols for command and control, or email-based exfiltration such as Exfiltration Over Alternative Protocol. For example, to remove evidence on Exchange servers adversaries have used the ExchangePowerShell
PowerShell module, including Remove-MailboxExportRequest
to remove evidence of mailbox exports.14 On Linux and macOS, adversaries may also delete emails through a command line utility called mail
or use AppleScript to interact with APIs on macOS.23
Adversaries may also remove emails and metadata/headers indicative of spam or suspicious activity (for example, through the use of organization-wide transport rules) to reduce the likelihood of malicious emails being detected by security products.5
Item | Value |
---|---|
ID | T1070.008 |
Sub-techniques | T1070.001, T1070.002, T1070.003, T1070.004, T1070.005, T1070.006, T1070.007, T1070.008, T1070.009 |
Tactics | TA0005 |
Platforms | Google Workspace, Linux, Office 365, Windows, macOS |
Version | 1.1 |
Created | 08 July 2022 |
Last Modified | 12 April 2023 |
Procedure Examples
ID | Name | Description |
---|---|---|
S0477 | Goopy | Goopy has the ability to delete emails used for C2 once the content has been copied.2 |
C0024 | SolarWinds Compromise | During the SolarWinds Compromise, APT29 removed evidence of email export requests using Remove-MailboxExportRequest .1 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1047 | Audit | In an Exchange environment, Administrators can use Get-TransportRule / Remove-TransportRule to discover and remove potentially malicious transport rules.6 |
M1029 | Remote Data Storage | Automatically forward mail data and events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system. |
M1022 | Restrict File and Directory Permissions | Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities. |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0015 | Application Log | Application Log Content |
DS0017 | Command | Command Execution |
DS0022 | File | File Deletion |
DS0009 | Process | Process Creation |
References
-
Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020. ↩↩
-
Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. ↩↩
-
Michael Kerrisk. (2021, August 27). mailx(1p) — Linux manual page. Retrieved June 10, 2022. ↩
-
Microsoft. (2017, September 25). ExchangePowerShell. Retrieved June 10, 2022. ↩
-
Microsoft. (2023, September 22). Malicious OAuth applications abuse cloud email services to spread spam. Retrieved March 13, 2023. ↩
-
Microsoft. (2023, February 22). Manage mail flow rules in Exchange Online. Retrieved March 13, 2023. ↩