T1114.001

Local Email Collection

Adversaries may target user email on local systems to collect sensitive information. Outlook stores email data in offline data files (.ost) and personal storage table files (.pst), typically located in C:\Users\<username>\AppData\Local\Microsoft\Outlook or C:\Users\<username>\Documents\Outlook Files. Threat actors access, copy, or exfiltrate these files to harvest credentials, reconnaissance data, business intelligence, or email threads for thread-hijacking phishing campaigns. Groups such as APT1, QakBot, Carbanak, and RedCurl have all employed this technique at scale.

Microsoft Sentinel / Defender

kusto

let OutlookDataPaths = dynamic([
    "\\AppData\\Local\\Microsoft\\Outlook\\",
    "\\Documents\\Outlook Files\\"
]);
let TrustedOutlookProcesses = dynamic([
    "outlook.exe", "msoia.exe", "ocpubmgr.exe", "olk.exe",
    "searchindexer.exe", "searchprotocolhost.exe", "msosync.exe"
]);
let StagingPaths = dynamic([
    "\\Windows\\Temp\\", "\\Temp\\", "\\Downloads\\",
    "\\Public\\", "\\ProgramData\\", "\\AppData\\Roaming\\",
    "\\Users\\Public\\"
]);
let SuspiciousCopyProcesses = dynamic([
    "cmd.exe", "powershell.exe", "pwsh.exe", "xcopy.exe",
    "robocopy.exe", "wmic.exe", "forfiles.exe", "7z.exe",
    "winrar.exe", "rar.exe", "zip.exe"
]);
// Branch 1: Non-Outlook processes accessing .pst/.ost files in Outlook directories
let SuspiciousOutlookAccess = DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName endswith ".pst" or FileName endswith ".ost"
| where FolderPath has_any (OutlookDataPaths)
| where not (InitiatingProcessFileName in~ (TrustedOutlookProcesses))
| extend DetectionBranch = "NonOutlookProcessAccessingEmailStore"
| extend RiskScore = iff(InitiatingProcessFileName in~ (SuspiciousCopyProcesses), 3, 1);
// Branch 2: .pst/.ost files written or created outside Outlook directories (staging)
let EmailFileStagedElsewhere = DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName endswith ".pst" or FileName endswith ".ost"
| where ActionType in ("FileCreated", "FileRenamed")
| where not (FolderPath has_any (OutlookDataPaths))
| extend DetectionBranch = "EmailFileCreatedInStagingLocation"
| extend RiskScore = iff(FolderPath has_any (StagingPaths), 3, 2);
// Branch 3: Command-line copy operations explicitly targeting .pst/.ost paths
let CmdLinePstAccess = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "xcopy.exe", "robocopy.exe", "wmic.exe")
| where ProcessCommandLine has ".pst" or ProcessCommandLine has ".ost"
| where ProcessCommandLine has_any ("copy ", "xcopy ", "robocopy ", "cp ", "move ", "Get-ChildItem", "gci ", "dir ", "ls ", "Compress", "Archive", "Invoke-WebRequest", "curl", "wmic")
| extend DetectionBranch = "CommandLinePstOstOperation"
| extend RiskScore = 2;
union SuspiciousOutlookAccess, EmailFileStagedElsewhere
| project Timestamp, DeviceName, AccountName, ActionType, FileName, FolderPath,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessParentFileName, DetectionBranch, RiskScore
| sort by RiskScore desc, Timestamp desc

high severity high confidence

Data Sources

File: File Access File: File Creation Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceFileEvents DeviceProcessEvents

False Positives

Backup agents (Veeam, Acronis, Windows Backup, Azure Backup) that enumerate and copy user profile data including Outlook stores — these typically run under service accounts with known parent processes
IT migration tools (BitTitan MigrationWiz, PST Capture Tool, Barracuda PST Enterprise) used during Exchange Online migrations to collect and import PST files
Antivirus and DLP scanning engines that access .pst/.ost files for content inspection — notably Symantec DLP, Forcepoint, and Microsoft Purview
Third-party Outlook add-ins or backup utilities (e.g., MailStore, Mailbird, Stellar OST to PST Converter) that legitimately access offline email stores
SearchIndexer.exe or SearchProtocolHost.exe Windows Search indexing — already excluded in TrustedOutlookProcesses but may appear under alternate process names

Splunk

spl

index=sysmon sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
(
  (EventCode=11 (TargetFilename="*.pst" OR TargetFilename="*.ost"))
  OR
  (EventCode=1 (CommandLine="*.pst*" OR CommandLine="*.ost*"))
)
| eval FilePath=coalesce(TargetFilename, "")
| eval CommandLineVal=coalesce(CommandLine, "")
| eval ProcessName=lower(coalesce(Image, ""))
| eval ParentProcessName=lower(coalesce(ParentImage, ""))
| eval IsOutlookPath=if(match(FilePath, "(?i)(AppData\\Local\\Microsoft\\Outlook|Documents\\Outlook Files)"), 1, 0)
| eval IsStagingPath=if(match(FilePath, "(?i)(\\Windows\\Temp|\\Temp\\|\\Downloads\\|\\Public\\|\\ProgramData\\)"), 1, 0)
| eval IsTrustedOutlookProc=if(match(ProcessName, "(outlook\.exe|searchindexer\.exe|searchprotocolhost\.exe|msosync\.exe|ocpubmgr\.exe)"), 1, 0)
| eval IsCopyOp=if(match(CommandLineVal, "(?i)(\bcopy\b|xcopy|robocopy|\bcp\b|move|compress-archive|invoke-webrequest|\bcurl\b|wmic.*process.*call.*create)"), 1, 0)
| eval IsPstOstCmdLine=if(match(CommandLineVal, "(?i)\.(pst|ost)"), 1, 0)
| eval DetectionBranch=case(
    EventCode=11 AND IsStagingPath=1, "EmailFileStagedInSuspiciousLocation",
    EventCode=11 AND IsTrustedOutlookProc=0, "NonOutlookProcessCreatedEmailFile",
    EventCode=1 AND IsPstOstCmdLine=1 AND IsCopyOp=1, "CommandLinePstCopyOperation",
    EventCode=1 AND IsPstOstCmdLine=1, "CommandLineReferencingEmailStore",
    true(), "Other"
  )
| eval RiskScore=case(
    IsStagingPath=1 AND IsTrustedOutlookProc=0, 3,
    IsCopyOp=1 AND IsPstOstCmdLine=1, 3,
    DetectionBranch="NonOutlookProcessCreatedEmailFile", 2,
    true(), 1
  )
| where DetectionBranch != "Other"
| table _time, host, User, ProcessName, ParentProcessName, CommandLineVal, FilePath,
        EventCode, DetectionBranch, RiskScore, IsOutlookPath, IsStagingPath
| sort - RiskScore, - _time

high severity high confidence

Data Sources

File: File Creation Process: Process Creation Command: Command Execution Sysmon Event ID 11 Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Backup agents (Veeam, Acronis, Windows Backup) accessing Outlook data files during scheduled profile backups — typically identifiable by known parent service processes
IT PST migration tools used during Exchange Online or M365 transitions that legitimately enumerate and copy .pst files from user workstations
DLP or antivirus scanning engines that inspect .pst/.ost content and may trigger FileCreate events when extracting or scanning
Third-party Outlook backup or archiving utilities (MailStore, Stellar, Kernel OST Viewer) that access offline stores as part of their normal operation

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
  [file where event.action in ("creation", "overwrite", "rename") and
   (file.name like~ "*.pst" or file.name like~ "*.ost") and
   not (
     file.path like~ "*\\AppData\\Local\\Microsoft\\Outlook\\*" or
     file.path like~ "*\\Documents\\Outlook Files\\*"
   )
  ] by process.entity_id

| [process where event.type == "start" and
   (process.name like~ "*.exe") and
   not process.name in~ ("outlook.exe", "msoia.exe", "ocpubmgr.exe", "olk.exe",
                          "searchindexer.exe", "searchprotocolhost.exe", "msosync.exe")
  ] by process.entity_id

/* Standalone: non-Outlook process accessing PST/OST in Outlook directories */
OR
file where event.action in ("creation", "overwrite", "rename", "access") and
  (file.name like~ "*.pst" or file.name like~ "*.ost") and
  (
    file.path like~ "*\\AppData\\Local\\Microsoft\\Outlook\\*" or
    file.path like~ "*\\Documents\\Outlook Files\\*"
  ) and
  not process.name in~ ("outlook.exe", "msoia.exe", "ocpubmgr.exe", "olk.exe",
                         "searchindexer.exe", "searchprotocolhost.exe", "msosync.exe")

/* Process command-line referencing PST/OST with copy operations */
OR
process where event.type == "start" and
  process.name in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "xcopy.exe",
                    "robocopy.exe", "wmic.exe", "forfiles.exe") and
  (
    process.args like~ "*.pst*" or process.args like~ "*.ost*" or
    process.command_line like~ "*.pst*" or process.command_line like~ "*.ost*"
  ) and
  (
    process.command_line like~ "* copy *" or process.command_line like~ "*xcopy*" or
    process.command_line like~ "*robocopy*" or process.command_line like~ "*Compress-Archive*" or
    process.command_line like~ "*Invoke-WebRequest*" or process.command_line like~ "*curl*"
  )

high severity high confidence

Data Sources

Elastic Endpoint Security (file events) Elastic Endpoint Security (process events) Windows Sysmon via Filebeat (ECS-normalized)

Required Tables

logs-endpoint.events.file-* logs-endpoint.events.process-* logs-*

False Positives

Backup software (e.g., Veeam, Acronis, Windows Backup) legitimately copies PST/OST files during scheduled backup jobs — verify process ancestry and destination path against known backup schedules
IT administrators using robocopy or xcopy during migration projects (e.g., Office 365 migration) to stage PST files for upload — correlate with change tickets and source IP
Third-party email archiving or compliance tools (e.g., Mimecast, Veritas Enterprise Vault) that access Outlook data files as part of their normal archiving operations — whitelist known service account names

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "username",
  "sourceip",
  QIDNAME(qid) AS event_name,
  "EventID",
  "TargetFilename",
  "Image" AS process_image,
  "ParentImage" AS parent_image,
  "CommandLine" AS command_line,
  CASE
    WHEN "EventID" = '11'
      AND (LOWER(COALESCE("TargetFilename", '')) LIKE '%appdata\\local\\microsoft\\outlook%'
           OR LOWER(COALESCE("TargetFilename", '')) LIKE '%documents\\outlook files%')
      AND LOWER(COALESCE("Image", '')) NOT SIMILAR TO '%(outlook|searchindexer|searchprotocolhost|msosync|ocpubmgr)\.exe'
      THEN 'NonOutlookProcessAccessingEmailStore'
    WHEN "EventID" = '11'
      AND (LOWER(COALESCE("TargetFilename", '')) NOT LIKE '%appdata\\local\\microsoft\\outlook%'
           AND LOWER(COALESCE("TargetFilename", '')) NOT LIKE '%documents\\outlook files%')
      AND (LOWER(COALESCE("TargetFilename", '')) LIKE '%windows\\temp%'
           OR LOWER(COALESCE("TargetFilename", '')) LIKE '%\\temp\\%'
           OR LOWER(COALESCE("TargetFilename", '')) LIKE '%\\downloads\\%'
           OR LOWER(COALESCE("TargetFilename", '')) LIKE '%\\public\\%'
           OR LOWER(COALESCE("TargetFilename", '')) LIKE '%\\programdata\\%')
      THEN 'EmailFileStagedInSuspiciousLocation'
    WHEN "EventID" = '1'
      AND (LOWER(COALESCE("CommandLine", '')) LIKE '%.pst%'
           OR LOWER(COALESCE("CommandLine", '')) LIKE '%.ost%')
      AND (LOWER(COALESCE("CommandLine", '')) LIKE '%xcopy%'
           OR LOWER(COALESCE("CommandLine", '')) LIKE '%robocopy%'
           OR LOWER(COALESCE("CommandLine", '')) LIKE '%compress-archive%'
           OR LOWER(COALESCE("CommandLine", '')) LIKE '%invoke-webrequest%'
           OR LOWER(COALESCE("CommandLine", '')) LIKE '% copy %'
           OR LOWER(COALESCE("CommandLine", '')) LIKE '%wmic%')
      THEN 'CommandLinePstCopyOperation'
    WHEN "EventID" = '1'
      AND (LOWER(COALESCE("CommandLine", '')) LIKE '%.pst%'
           OR LOWER(COALESCE("CommandLine", '')) LIKE '%.ost%')
      THEN 'CommandLineReferencingEmailStore'
    ELSE NULL
  END AS detection_branch,
  CASE
    WHEN (LOWER(COALESCE("TargetFilename", '')) LIKE '%windows\\temp%'
          OR LOWER(COALESCE("TargetFilename", '')) LIKE '%\\downloads\\%'
          OR LOWER(COALESCE("TargetFilename", '')) LIKE '%\\public\\%')
      AND LOWER(COALESCE("Image", '')) NOT SIMILAR TO '%(outlook|searchindexer|searchprotocolhost|msosync|ocpubmgr)\.exe'
      THEN 3
    WHEN (LOWER(COALESCE("CommandLine", '')) LIKE '%xcopy%'
          OR LOWER(COALESCE("CommandLine", '')) LIKE '%robocopy%'
          OR LOWER(COALESCE("CommandLine", '')) LIKE '%compress-archive%')
      AND (LOWER(COALESCE("CommandLine", '')) LIKE '%.pst%'
           OR LOWER(COALESCE("CommandLine", '')) LIKE '%.ost%')
      THEN 3
    WHEN LOWER(COALESCE("Image", '')) NOT SIMILAR TO '%(outlook|searchindexer|searchprotocolhost|msosync|ocpubmgr)\.exe'
      AND (LOWER(COALESCE("TargetFilename", '')) LIKE '%.pst'
           OR LOWER(COALESCE("TargetFilename", '')) LIKE '%.ost')
      THEN 2
    ELSE 1
  END AS risk_score
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (413 /* Sysmon */, 12 /* Windows Security */)
  AND devicetime > NOW() - 1 DAYS
  AND (
    (
      "EventID" IN ('11')
      AND (
        LOWER(COALESCE("TargetFilename", '')) LIKE '%.pst'
        OR LOWER(COALESCE("TargetFilename", '')) LIKE '%.ost'
      )
    )
    OR (
      "EventID" IN ('1')
      AND LOWER(COALESCE("Image", '')) SIMILAR TO '%(cmd|powershell|pwsh|xcopy|robocopy|wmic|forfiles)\.exe'
      AND (
        LOWER(COALESCE("CommandLine", '')) LIKE '%.pst%'
        OR LOWER(COALESCE("CommandLine", '')) LIKE '%.ost%'
      )
    )
  )
  AND CASE
    WHEN "EventID" = '11'
      AND (LOWER(COALESCE("TargetFilename", '')) LIKE '%appdata\\local\\microsoft\\outlook%'
           OR LOWER(COALESCE("TargetFilename", '')) LIKE '%documents\\outlook files%')
      AND LOWER(COALESCE("Image", '')) NOT SIMILAR TO '%(outlook|searchindexer|searchprotocolhost|msosync|ocpubmgr)\.exe'
      THEN TRUE
    WHEN "EventID" = '11'
      AND (LOWER(COALESCE("TargetFilename", '')) NOT LIKE '%appdata\\local\\microsoft\\outlook%')
      AND (LOWER(COALESCE("TargetFilename", '')) LIKE '%\\temp\\%'
           OR LOWER(COALESCE("TargetFilename", '')) LIKE '%\\downloads\\%'
           OR LOWER(COALESCE("TargetFilename", '')) LIKE '%\\public\\%'
           OR LOWER(COALESCE("TargetFilename", '')) LIKE '%\\programdata\\%')
      THEN TRUE
    WHEN "EventID" = '1'
      AND (LOWER(COALESCE("CommandLine", '')) LIKE '%.pst%'
           OR LOWER(COALESCE("CommandLine", '')) LIKE '%.ost%')
      THEN TRUE
    ELSE FALSE
  END = TRUE
ORDER BY risk_score DESC, devicetime DESC

high severity medium confidence

Data Sources

Windows Sysmon (via QRadar WinCollect or DSM) Windows Security Event Log

Required Tables

events (QRadar unified event store)

False Positives

Enterprise backup agents (Commvault, NetBackup, Veeam) generating Sysmon Event ID 11 for PST/OST files during scheduled backup windows — add known backup service account names and process names to a reference set for exclusion
PST-to-cloud migration utilities during Office 365 onboarding (e.g., Microsoft MFCMAPI, BitTitan MigrationWiz agent) copying PST files to staging directories — correlate with active migration project CIs
Security or compliance scanning tools (e.g., Varonis, Spirion) that enumerate or read email files during data classification scans — verify against approved scanner schedule and service account

Sumo Logic CSE

sql

_sourceCategory="windows/sysmon" OR _sourceCategory="WinEventLog/Sysmon"
| json auto
| where EventID in ("1", "11")
| parse field=TargetFilename "*" as target_filename nodrop
| parse field=Image "*" as process_image nodrop
| parse field=ParentImage "*" as parent_image nodrop
| parse field=CommandLine "*" as command_line nodrop
| where (EventID == "11" and (target_filename matches "*.pst" or target_filename matches "*.ost"))
      OR (EventID == "1" and (toLowerCase(command_line) matches "*.pst*" or toLowerCase(command_line) matches "*.ost*")
          and toLowerCase(process_image) matches "*(cmd.exe|powershell.exe|pwsh.exe|xcopy.exe|robocopy.exe|wmic.exe|forfiles.exe)*")
| eval is_outlook_path = if(matches(toLowerCase(target_filename), "*(appdata\\local\\microsoft\\outlook|documents\\outlook files)*"), 1, 0)
| eval is_staging_path = if(matches(toLowerCase(target_filename), "*(\\windows\\temp|\\temp\\|\\downloads\\|\\public\\|\\programdata\\|\\appdata\\roaming\\|\\users\\public\\)*"), 1, 0)
| eval is_trusted_outlook_proc = if(matches(toLowerCase(process_image), "*(outlook.exe|searchindexer.exe|searchprotocolhost.exe|msosync.exe|ocpubmgr.exe|msoia.exe|olk.exe)*"), 1, 0)
| eval is_copy_operation = if(matches(toLowerCase(command_line), "*(xcopy|robocopy|compress-archive|invoke-webrequest|\bcopy\b|wmic.*call.*create)*"), 1, 0)
| eval detection_branch = if(EventID == "11" and is_outlook_path == 1 and is_trusted_outlook_proc == 0, "NonOutlookProcessAccessingEmailStore",
    if(EventID == "11" and is_outlook_path == 0 and is_staging_path == 1, "EmailFileStagedInSuspiciousLocation",
    if(EventID == "1" and is_copy_operation == 1, "CommandLinePstCopyOperation",
    if(EventID == "1", "CommandLineReferencingEmailStore", "Other"))))
| where detection_branch != "Other"
| eval risk_score = if(is_staging_path == 1 and is_trusted_outlook_proc == 0, 3,
    if(is_copy_operation == 1, 3,
    if(detection_branch == "NonOutlookProcessAccessingEmailStore", 2, 1)))
| fields _messagetime, Computer, User, EventID, process_image, parent_image,
         command_line, target_filename, detection_branch, risk_score,
         is_outlook_path, is_staging_path, is_trusted_outlook_proc
| sort by risk_score desc, _messagetime desc

high severity high confidence

Data Sources

Windows Sysmon logs via Sumo Logic Installed Collector Sumo Logic Cloud SIEM (CSE) normalized events

Required Tables

Sysmon event logs (_sourceCategory=windows/sysmon)

False Positives

Automated PST export tools used by legal or HR during e-discovery or termination workflows — these will generate high-risk scores when run from cmd.exe or PowerShell; coordinate with legal holds tracker
macOS/iOS device management sync agents or backup clients on Windows endpoints that access Outlook data during sync operations — verify process digital signature and publisher in process_image field
IT helpdesk remote assistance sessions where technicians use robocopy or xcopy to recover corrupted PST files on behalf of users — will appear identical to malicious staging; correlate with open helpdesk tickets

Google Chronicle / SecOps

yaral

rule t1114_001_local_email_collection {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects local Outlook PST/OST email collection via file access by non-Outlook processes, staging in suspicious directories, or command-line copy operations targeting email stores"
    mitre_attack_technique = "T1114.001"
    mitre_attack_tactic = "Collection"
    severity = "HIGH"
    priority = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1114/001/"
    created = "2026-04-18"
    version = "1.0"

  events:
    (
      // Branch 1: Non-Outlook process accessing PST/OST in Outlook directories
      (
        $e1.metadata.event_type = "FILE_OPEN" OR
        $e1.metadata.event_type = "FILE_CREATION" OR
        $e1.metadata.event_type = "FILE_COPY"
      ) AND
      (
        $e1.target.file.full_path = /(?i)\.(pst|ost)$/
      ) AND
      (
        $e1.target.file.full_path = /(?i)(AppData\\Local\\Microsoft\\Outlook|Documents\\Outlook Files)/
      ) AND
      NOT $e1.principal.process.file.full_path = /(?i)(outlook\.exe|msoia\.exe|ocpubmgr\.exe|olk\.exe|searchindexer\.exe|searchprotocolhost\.exe|msosync\.exe)$/
    )
    OR
    (
      // Branch 2: PST/OST staged outside Outlook directories in suspicious paths
      (
        $e1.metadata.event_type = "FILE_CREATION" OR
        $e1.metadata.event_type = "FILE_COPY"
      ) AND
      $e1.target.file.full_path = /(?i)\.(pst|ost)$/ AND
      NOT $e1.target.file.full_path = /(?i)(AppData\\Local\\Microsoft\\Outlook|Documents\\Outlook Files)/ AND
      (
        $e1.target.file.full_path = /(?i)(\\Windows\\Temp|\\Temp\\|\\Downloads\\|\\Public\\|\\ProgramData\\|\\AppData\\Roaming\\|\\Users\\Public\\)/
      )
    )
    OR
    (
      // Branch 3: Command-line process referencing PST/OST with copy/exfil verbs
      $e1.metadata.event_type = "PROCESS_LAUNCH" AND
      $e1.principal.process.file.full_path = /(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|xcopy\.exe|robocopy\.exe|wmic\.exe|forfiles\.exe)$/ AND
      $e1.target.process.command_line = /(?i)\.(pst|ost)/ AND
      (
        $e1.target.process.command_line = /(?i)(\bcopy\b|xcopy|robocopy|Compress-Archive|Invoke-WebRequest|\bcurl\b|wmic.*process.*call|\bmove\b)/
      )
    )

  condition:
    $e1
}

high severity high confidence

Data Sources

Google Chronicle UDM (Unified Data Model) Windows endpoint telemetry forwarded to Chronicle Sysmon events normalized to Chronicle UDM

Required Tables

UDM events (file, process event types)

False Positives

Windows Search indexer (searchindexer.exe) and Search Protocol Host (searchprotocolhost.exe) are explicitly excluded but other indexing or DLP agents may access PST/OST files — verify principal.process.file.full_path against approved endpoint tool inventory
Outlook add-ins or COM add-in host processes that interact with PST/OST files on behalf of the user may trigger Branch 1 — inspect principal.process.file.full_path for known addin executables and add to exclusion
PowerShell scripts used in IT automation for PST import/export workflows (e.g., Exchange Online import) will trigger Branch 3 — validate target.process.command_line for authorized import scripts via hash or script path allow-list

CrowdStrike LogScale (CQL)

cql

// Branch 1 & 2: File write/creation events targeting .pst or .ost files
#event_simpleName = "PeFileWritten" OR #event_simpleName = "NewExecutableWritten" OR #event_simpleName = "SuspiciousFileWritten"
| FileName = /(?i)\.(pst|ost)$/
| FilePath != null
| isOutlookPath := match(field=FilePath, pattern=/(AppData\\Local\\Microsoft\\Outlook|Documents\\Outlook Files)/i)
| isStagingPath := match(field=FilePath, pattern=/(\\Windows\\Temp|\\Temp\\|\\Downloads\\|\\Public\\|\\ProgramData\\|\\AppData\\Roaming\\|\\Users\\Public\\)/i)
| isTrustedProc := match(field=ImageFileName, pattern=/(outlook\.exe|msoia\.exe|ocpubmgr\.exe|olk\.exe|searchindexer\.exe|searchprotocolhost\.exe|msosync\.exe)/i)
| where (isOutlookPath = true AND isTrustedProc = false) OR isStagingPath = true
| DetectionBranch := if(isOutlookPath = true AND isTrustedProc = false, "NonOutlookProcessAccessingEmailStore",
    if(isStagingPath = true, "EmailFileStagedInSuspiciousLocation", "EmailFileWritten"))
| RiskScore := if(isStagingPath = true AND isTrustedProc = false, 3,
    if(DetectionBranch = "NonOutlookProcessAccessingEmailStore", 2, 1))
| table([_timstamp, ComputerName, UserName, FileName, FilePath, ImageFileName,
         ParentBaseFileName, DetectionBranch, RiskScore])

// Branch 3: Process execution with PST/OST in command line
| join(
  #event_simpleName = "ProcessRollup2"
  | ImageFileName = /(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|xcopy\.exe|robocopy\.exe|wmic\.exe|forfiles\.exe)/
  | CommandLine = /(?i)\.(pst|ost)/
  | isCopyOp := match(field=CommandLine, pattern=/(\bcopy\b|xcopy|robocopy|Compress-Archive|Invoke-WebRequest|\bcurl\b|wmic.*process|\bmove\b)/i)
  | where isCopyOp = true
  | DetectionBranch := "CommandLinePstCopyOperation"
  | RiskScore := 3
  | table([_timstamp, ComputerName, UserName, FileName, CommandLine,
           ParentBaseFileName, DetectionBranch, RiskScore])
, field=ComputerName, joinType=full
)
| sort(field=RiskScore, order=desc)
| sort(field=_timstamp, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Detection (EDR) Falcon LogScale (Humio) via Falcon Data Replicator

Required Tables

PeFileWritten (Falcon sensor file write events) ProcessRollup2 (Falcon sensor process creation events)

False Positives

CrowdStrike Falcon sensor's own processes or third-party EDR agents that inspect PST/OST files for malware scanning will match Branch 1 — exclude by CID-verified sensor process ImageFileName values
Corporate PST archival workflows using PowerShell or cmd.exe scheduled tasks for nightly PST compaction or backup — these produce identical Branch 3 signals; correlate CommandLine hash against approved automation script registry
Network-attached or cloud backup clients (e.g., Backblaze, Carbonite, OneDrive sync client for large PST files) writing PST/OST data to staging areas before upload — verify ImageFileName digital signature publisher field matches expected backup vendor

Last updated: 2026-04-18 Research depth: deep

References (9)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1114.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Local Email Collection

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Collection

Popular Detections