Adversaries may modify mail and mail application data to remove evidence of their activity. Email applications allow users and other programs to export and delete mailbox data via command line tools or use of APIs. Mail application data can be emails, email metadata, or logs generated by the application or operating system, such as export requests. Adversaries may manipulate emails and mailbox data to remove logs, artifacts, and metadata, such as evidence of [Phishing](https://attack.mitre.org/techniques/T1566)/[Internal Spearphishing](https://attack.mitre.org/techniques/T1534), [Email Collection](https://attack.mitre.org/techniques/T1114), [Mail Protocols](https://attack.mitre.org/techniques/T1071/003) for command and control, or email-based exfiltration such as [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048). For example, to remove evidence on Exchange servers adversaries have used theExchangePowerShell
[PowerShell](https://attack.mitre.org/techniques/T1059/001) module, includingRemove-MailboxExportRequest
to remove evidence of mailbox exports.(Citation: Volexity SolarWinds)(Citation: ExchangePowerShell Module) On Linux and macOS, adversaries may also delete emails through a command line utility called
Copies and deletes mail data on Windows
Supported Platforms: Windows
auto_generated_guid: d29f01ea-ac72-4efc-8a15-bea64b77fabf
1
powershell
! Elevation Required (e.g. root or admin)1
2
3
New-Item -Path "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data\copy" -ItemType Directory -ErrorAction Ignore
Get-ChildItem -Path "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data" -Exclude copy | ForEach-Object { Copy-Item -Path $_.FullName -Destination "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data\copy" -Recurse -Force -ErrorAction Ignore }
Remove-Item -Path "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data\copy" -Recurse -Force -ErrorAction Ignore
1
Remove-Item -Path "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data\copy" -Recurse -Force -ErrorAction Ignore
Copies and deletes mail data on Linux
Supported Platforms: Linux
auto_generated_guid: 25e2be0e-96f7-4417-bd16-a4a2500e3802
1
bash
! Elevation Required (e.g. root or admin)1
2
3
4
5
6
7
8
mkdir -p /var/spool/mail/copy
for file in /var/spool/mail/*; do
if [ "$(basename "$file")" != "copy" ]
then
cp -R "$file" /var/spool/mail/copy/
fi
done
rm -rf /var/spool/mail/copy/*
1
rm -rf /var/spool/mail/copy
Copies and deletes mail data on macOS
Supported Platforms: macOS
auto_generated_guid: 3824130e-a6e4-4528-8091-3a52eeb540f6
1
bash
! Elevation Required (e.g. root or admin)1
2
3
mkdir ~/Library/Mail/copy
cp -R ~/Library/Mail/* ~/Library/Mail/copy
rm -rf ~/Library/Mail/copy/*
1
rm -rf ~/Library/Mail/copy
Copies and modifies mail data on Windows
Supported Platforms: Windows
auto_generated_guid: edddff85-fee0-499d-9501-7d4d2892e79b
1
powershell
! Elevation Required (e.g. root or admin)1
2
3
New-Item -Path "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data\copy" -ItemType Directory -ErrorAction Ignore
Get-ChildItem -Path "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data" -Exclude copy | ForEach-Object { Copy-Item -Path $_.FullName -Destination "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data\copy" -Recurse -Force -ErrorAction Ignore }
Get-ChildItem -Path "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data\copy" -File | ForEach-Object { Add-Content -Path $_.FullName -Value "Modification for Atomic Red Test" -ErrorAction Ignore }
1
Remove-Item -Path "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data\copy" -Recurse -Force -ErrorAction Ignore
Copies and modifies mail data on Linux
Supported Platforms: Linux
auto_generated_guid: 6d99f93c-da56-49e3-b195-163090ace4f6
1
bash
! Elevation Required (e.g. root or admin)1
2
3
4
5
6
7
8
9
10
mkdir -p /var/spool/mail/copy
for file in /var/spool/mail/*; do
if [ "$(basename "$file")" != "copy" ]
then
cp -R "$file" /var/spool/mail/copy/
if [ -f "/var/spool/mail/copy/$(basename "$file")" ]; then
echo "Modification for Atomic Red Test" >> "/var/spool/mail/copy/$(basename "$file")"
fi
fi
done
1
rm -rf /var/spool/mail/copy
Copies and modifies mail data on macOS
Supported Platforms: macOS
auto_generated_guid: 8a0b1579-5a36-483a-9cde-0236983e1665
1
bash
! Elevation Required (e.g. root or admin)1
2
3
mkdir ~/Library/Mail/copy
cp -R ~/Library/Mail/* ~/Library/Mail/copy
echo "Manipulated data" > ~/Library/Mail/copy/manipulated.txt
1
rm -rf ~/Library/Mail/copy