⚠️ WARNING THIS IS A EXPERIMENTAL DETECTION
We have not been able to test, simulate or build datasets for it, use at your own risk!
The search looks at the change-analysis data model and detects email files created outside the normal Outlook directory.
- Type: TTP
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2020-07-21
- Author: Bhavin Patel, Splunk
- ID: ee18ed37-0802-4268-9435-b3b91aaa18xx
|T1114.001||Local Email Collection||Collection|
| tstats `security_content_summariesonly` count values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name=*.pst OR Filesystem.file_name=*.ost) Filesystem.file_path != "C:\\Users\\*\\My Documents\\Outlook Files\\*" Filesystem.file_path!="C:\\Users\\*\\AppData\\Local\\Microsoft\\Outlook*" by Filesystem.action Filesystem.process_id Filesystem.file_name Filesystem.dest | `drop_dm_object_name("Filesystem")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `email_files_written_outside_of_the_outlook_directory_filter`
Associated Analytic Story
How To Implement
To successfully implement this search, you must be ingesting data that records the file-system activity from your hosts to populate the Endpoint.Filesystem data model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or by other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes.
Kill Chain Phase
- Actions on Objectives
Known False Positives
Administrators and users sometimes prefer backing up their email data by moving the email files into a different folder. These attempts will be detected by the search.
source | version: 3