Remove Exported Mailbox from Exchange Webserver (09570ae5-889e-43ea-aac0-0e1221fb3d95)
Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) | Attack Pattern | Remove Exported Mailbox from Exchange Webserver (09570ae5-889e-43ea-aac0-0e1221fb3d95) | Sigma-Rules | 1 |