Email Files Written Outside Of The Outlook Directory

Description

The search looks at the change-analysis data model and detects email files created outside the normal Outlook directory.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection

Category

Adversary Tactics

Alert Volume

The search looks at the change-analysis data model and detects email files created outside the normal Outlook directory.

SPL Difficulty

None

Journey

Stage 1

MITRE ATT&CK Tactics

Collection

MITRE ATT&CK Techniques

Email Collection

Local Email Collection

MITRE Threat Groups

APT1
Magic Hound

Kill Chain Phases

Actions On Objectives

Data Sources

Email

   Help

Email Files Written Outside Of The Outlook Directory Help

To successfully implement this search, you must be ingesting data that records the file-system activity from your hosts to populate the Endpoint.Filesystem data model node. This is typically populated via endpoint detection-and-response products, such as Carbon Black, or by other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes.

   Search

Open in Search