A host exporting a mailbox from an on-prem Exchange server and subsequently deleting the export may indicate exfiltration of sensitive data by an adversary. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential data theft or reconnaissance activities early.
KQL Query
// Adjust the timeframe to change the window events need to occur within to alert
let timeframe = 1h;
imProcessCreate
| where Process has_any ("powershell.exe", "cmd.exe")
| where CommandLine has 'New-MailboxExportRequest'
| summarize by Dvc, timekey = bin(TimeGenerated, timeframe), CommandLine, ActorUsername, EventVendor, EventProduct
| join kind=inner (imProcessCreate
| where Process has_any ("powershell.exe", "cmd.exe")
| where CommandLine has 'Remove-MailboxExportRequest'
| summarize by Dvc, EventProduct, EventVendor, timekey = bin(TimeGenerated, timeframe), CommandLine, ActorUsername) on Dvc, timekey, ActorUsername
| summarize by timekey, Dvc, CommandLine, ActorUsername
| project-reorder timekey, Dvc, ActorUsername, CommandLine
| extend HostCustomEntity = Dvc, AccountCustomEntity = ActorUsername
id: 4500a2ff-455b-4ee7-a21d-5ac5c7c9ea87
name: Host Exporting Mailbox and Removing Export (Normalized Process Events)
description: |
'This hunting query looks for hosts exporting a mailbox from an on-prem Exchange server, followed by
that same host removing the export within a short time window. This pattern has been observed by attackers
when exfiltrating emails from a target environment. A Mailbox export is unlikely to be a common command run so look for
activity from unexpected hosts and accounts.
Reference: https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/'
requiredDataConnectors: []
tactics:
- Collection
relevantTechniques:
- T1114
tags:
- Solorigate
- NOBELIUM
query: |
// Adjust the timeframe to change the window events need to occur within to alert
let timeframe = 1h;
imProcessCreate
| where Process has_any ("powershell.exe", "cmd.exe")
| where CommandLine has 'New-MailboxExportRequest'
| summarize by Dvc, timekey = bin(TimeGenerated, timeframe), CommandLine, ActorUsername, EventVendor, EventProduct
| join kind=inner (imProcessCreate
| where Process has_any ("powershell.exe", "cmd.exe")
| where CommandLine has 'Remove-MailboxExportRequest'
| summarize by Dvc, EventProduct, EventVendor, timekey = bin(TimeGenerated, timeframe), CommandLine, ActorUsername) on Dvc, timekey, ActorUsername
| summarize by timekey, Dvc, CommandLine, ActorUsername
| project-reorder timekey, Dvc, ActorUsername, CommandLine
| extend HostCustomEntity = Dvc, AccountCustomEntity = ActorUsername
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity
| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |
Scenario: Scheduled mailbox export for compliance or backup
Description: A system administrator schedules a mailbox export as part of a regular compliance or backup process using Exchange Management Shell or PowerShell scripts.
Filter/Exclusion: Exclude processes initiated by Exchange Admins or scheduled tasks with known compliance-related names (e.g., BackupMailboxJob or ComplianceExportJob).
Scenario: Automated mailbox export for eDiscovery
Description: A legal or compliance team uses Microsoft eDiscovery tools to export mailboxes as part of a formal investigation.
Filter/Exclusion: Exclude activities associated with eDiscovery tools or processes with eDiscovery in the command line or script name.
Scenario: User-initiated mailbox export for personal use
Description: A user exports their own mailbox using Outlook Web Access (OWA) or Microsoft Outlook for personal archiving or migration.
Filter/Exclusion: Exclude exports initiated by user accounts with user-specific or personal mailbox identifiers, or filter by user roles like User instead of Admin.
Scenario: System maintenance task removing exported mailbox
Description: A system maintenance task, such as Exchange Cleanup Job or database maintenance, removes the exported mailbox after a period.
Filter/Exclusion: Exclude processes initiated by system accounts (e.g., NT AUTHORITY\SYSTEM) or scheduled maintenance tasks with known names (e.g., CleanupExportedMailboxes).
Scenario: Malware or script attempting to export and remove mailbox
Description: A malicious script or malware attempts to export and then delete a mailbox, mimicking legitimate behavior.
Filter/Exclusion: Exclude events where the process is initiated by **non-human accounts