The deletion of Exchange PowerShell cmdlet history logs indicates an adversary is attempting to remove forensic evidence and obscure their PowerShell-based activities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential exfiltration or persistence tactics early.
Detection Rule
title: Exchange PowerShell Cmdlet History Deleted
id: a55349d8-9588-4c5a-8e3b-1925fe2a4ffe
status: test
description: Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence
references:
- https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-26
modified: 2022-12-30
tags:
- attack.defense-evasion
- attack.t1070
logsource:
category: file_delete
product: windows
detection:
selection:
TargetFilename|startswith: '\Logging\CmdletInfra\LocalPowerShell\Cmdlet\'
TargetFilename|contains: '_Cmdlet_'
condition: selection
falsepositives:
- Possible FP during log rotation
level: high
imFileEvent
| where TargetFileName startswith "\\Logging\\CmdletInfra\\LocalPowerShell\\Cmdlet\\" and TargetFileName contains "_Cmdlet_"Scenario: Scheduled Job Cleanup
Description: A scheduled job runs to clean up old PowerShell cmdlet history logs as part of routine maintenance.
Filter/Exclusion: EventID != 4103 (Exclude event ID for scheduled job execution) OR EventID == 4103 AND Source == "Task Scheduler"
Scenario: Admin Task to Purge Logs
Description: An administrator manually purges Exchange PowerShell history logs using the Remove-Item cmdlet as part of a log rotation or compliance policy.
Filter/Exclusion: EventID == 4103 AND Source == "Microsoft-Exchange-Transport-Admin" OR EventID == 4103 AND User == "Domain\Administrator"
Scenario: Exchange Management Shell Session Termination
Description: A PowerShell session ends normally, and the cmdlet history is cleared as part of session closure.
Filter/Exclusion: EventID == 4103 AND EventMessage contains "Session ended" OR EventID == 4103 AND EventMessage contains "Session closed"
Scenario: Log Rotation by Log Management Tool
Description: A log management tool like Splunk or Logstash rotates and archives Exchange PowerShell logs, which may include clearing the history.
Filter/Exclusion: EventID == 4103 AND Source == "Splunk" OR Source == "Logstash"
Scenario: User-Initiated Log Clearing via PowerShell
Description: A user or admin runs a script or command to clear the Exchange PowerShell history using Clear-Item or Remove-Item for troubleshooting or cleanup.
Filter/Exclusion: `EventID == 4103 AND EventMessage contains “Clear-Item” OR “Remove