Ctrl+K

T1070.008 - Clear Mailbox Data

T1070.008 - Clear Mailbox Data#

Adversaries may modify mail and mail application data to remove evidence of their activity. Email applications allow users and other programs to export and delete mailbox data via command line tools or use of APIs. Mail application data can be emails, email metadata, or logs generated by the application or operating system, such as export requests.

Adversaries may manipulate emails and mailbox data to remove logs, artifacts, and metadata, such as evidence of Phishing/Internal Spearphishing, Email Collection, Mail Protocols for command and control, or email-based exfiltration such as Exfiltration Over Alternative Protocol. For example, to remove evidence on Exchange servers adversaries have used the ExchangePowerShell PowerShell module, including Remove-MailboxExportRequest to remove evidence of mailbox exports.(Citation: Volexity SolarWinds)(Citation: ExchangePowerShell Module) On Linux and macOS, adversaries may also delete emails through a command line utility called mail or use AppleScript to interact with APIs on macOS.(Citation: Cybereason Cobalt Kitty 2017)(Citation: mailx man page)

Adversaries may also remove emails and metadata/headers indicative of spam or suspicious activity (for example, through the use of organization-wide transport rules) to reduce the likelihood of malicious emails being detected by security products.(Citation: Microsoft OAuth Spam 2022)

Atomic Tests#

Atomic Test #1 - Copy and Delete Mailbox Data on WindowsCopies and deletes mail data on Windows#

Supported Platforms: windows Elevation Required (e.g. root or admin)#### Attack Commands: Run with powershell

New-Item -Path "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data\copy" -ItemType Directory -ErrorAction Ignore
Get-ChildItem -Path "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data" -Exclude copy | ForEach-Object { Copy-Item -Path $_.FullName -Destination "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data\copy" -Recurse -Force -ErrorAction Ignore }
Remove-Item -Path "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data\copy" -Recurse -Force -ErrorAction Ignore

Invoke-AtomicTest T1070.008 -TestNumbers 1

Cleanup:#

Remove-Item -Path "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data\copy" -Recurse -Force -ErrorAction Ignore

Invoke-AtomicTest T1070.008 -TestNumbers 1 -Cleanup

Atomic Test #2 - Copy and Delete Mailbox Data on LinuxCopies and deletes mail data on Linux#

Supported Platforms: linux Elevation Required (e.g. root or admin)#### Attack Commands: Run with bash

mkdir -p /var/spool/mail/copy
for file in /var/spool/mail/*; do
  if [ "$(basename "$file")" != "copy" ]
  then
    cp -R "$file" /var/spool/mail/copy/
  fi
done
rm -rf /var/spool/mail/copy/*

Invoke-AtomicTest T1070.008 -TestNumbers 2

Cleanup:#

rm -rf /var/spool/mail/copy

Invoke-AtomicTest T1070.008 -TestNumbers 2 -Cleanup

Atomic Test #3 - Copy and Delete Mailbox Data on macOSCopies and deletes mail data on macOS#

Supported Platforms: macos Elevation Required (e.g. root or admin)#### Attack Commands: Run with bash

mkdir ~/Library/Mail/copy
cp -R ~/Library/Mail/* ~/Library/Mail/copy
rm -rf ~/Library/Mail/copy/*

Invoke-AtomicTest T1070.008 -TestNumbers 3

Cleanup:#

rm -rf ~/Library/Mail/copy

Invoke-AtomicTest T1070.008 -TestNumbers 3 -Cleanup

Atomic Test #4 - Copy and Modify Mailbox Data on WindowsCopies and modifies mail data on Windows#

Supported Platforms: windows Elevation Required (e.g. root or admin)#### Attack Commands: Run with powershell

New-Item -Path "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data\copy" -ItemType Directory -ErrorAction Ignore
Get-ChildItem -Path "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data" -Exclude copy | ForEach-Object { Copy-Item -Path $_.FullName -Destination "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data\copy" -Recurse -Force -ErrorAction Ignore }
Get-ChildItem -Path "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data\copy" -File | ForEach-Object { Add-Content -Path $_.FullName -Value "Modification for Atomic Red Test" -ErrorAction Ignore }

Invoke-AtomicTest T1070.008 -TestNumbers 4

Cleanup:#

Remove-Item -Path "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data\copy" -Recurse -Force -ErrorAction Ignore

Invoke-AtomicTest T1070.008 -TestNumbers 4 -Cleanup

Atomic Test #5 - Copy and Modify Mailbox Data on LinuxCopies and modifies mail data on Linux#

Supported Platforms: linux Elevation Required (e.g. root or admin)#### Attack Commands: Run with bash

mkdir -p /var/spool/mail/copy
for file in /var/spool/mail/*; do
  if [ "$(basename "$file")" != "copy" ]
  then
    cp -R "$file" /var/spool/mail/copy/
    if [ -f "/var/spool/mail/copy/$(basename "$file")" ]; then
      echo "Modification for Atomic Red Test" >> "/var/spool/mail/copy/$(basename "$file")"
    fi
  fi
done

Invoke-AtomicTest T1070.008 -TestNumbers 5

Cleanup:#

rm -rf /var/spool/mail/copy

Invoke-AtomicTest T1070.008 -TestNumbers 5 -Cleanup

Atomic Test #6 - Copy and Modify Mailbox Data on macOSCopies and modifies mail data on macOS#

Supported Platforms: macos Elevation Required (e.g. root or admin)#### Attack Commands: Run with bash

mkdir ~/Library/Mail/copy
cp -R ~/Library/Mail/* ~/Library/Mail/copy
echo "Manipulated data" > ~/Library/Mail/copy/manipulated.txt

Invoke-AtomicTest T1070.008 -TestNumbers 6

Cleanup:#

rm -rf ~/Library/Mail/copy

Invoke-AtomicTest T1070.008 -TestNumbers 6 -Cleanup
Contents