administrators and users sometimes prefer backing up their email data by moving the email files into a different folder. these attempts will be detected by the search.

t1114
t1114.001
endpoint
splunk

Techniques

T1114
T1114.001

Sample rules

Email files written outside of the Outlook directory

source: splunk
technicques:
- T1114
- T1114.001

Description

The search looks at the change-analysis data model and detects email files created outside the normal Outlook directory.

Detection logic


| tstats `security_content_summariesonly` count values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name=*.pst OR Filesystem.file_name=*.ost) Filesystem.file_path != "C:\\Users\\*\\My Documents\\Outlook Files\\*"  Filesystem.file_path!="C:\\Users\\*\\AppData\\Local\\Microsoft\\Outlook*" by Filesystem.action Filesystem.process_id Filesystem.file_name Filesystem.dest 
| `drop_dm_object_name("Filesystem")` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `email_files_written_outside_of_the_outlook_directory_filter`