Techniques
Sample rules
Email files written outside of the Outlook directory
- source: splunk
- technicques:
- T1114
- T1114.001
Description
The search looks at the change-analysis data model and detects email files created outside the normal Outlook directory.
Detection logic
| tstats `security_content_summariesonly` count values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name=*.pst OR Filesystem.file_name=*.ost) Filesystem.file_path != "C:\\Users\\*\\My Documents\\Outlook Files\\*" Filesystem.file_path!="C:\\Users\\*\\AppData\\Local\\Microsoft\\Outlook*" by Filesystem.action Filesystem.process_id Filesystem.file_name Filesystem.dest
| `drop_dm_object_name("Filesystem")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `email_files_written_outside_of_the_outlook_directory_filter`