T1114.001 IBM QRadar · QRadar

Detect Local Email Collection in IBM QRadar

Adversaries may target user email on local systems to collect sensitive information. Outlook stores email data in offline data files (.ost) and personal storage table files (.pst), typically located in C:\Users\<username>\AppData\Local\Microsoft\Outlook or C:\Users\<username>\Documents\Outlook Files. Threat actors access, copy, or exfiltrate these files to harvest credentials, reconnaissance data, business intelligence, or email threads for thread-hijacking phishing campaigns. Groups such as APT1, QakBot, Carbanak, and RedCurl have all employed this technique at scale.

MITRE ATT&CK

Tactic
Collection
Technique
T1114 Email Collection
Sub-technique
T1114.001 Local Email Collection
Canonical reference
https://attack.mitre.org/techniques/T1114/001/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "username",
  "sourceip",
  QIDNAME(qid) AS event_name,
  "EventID",
  "TargetFilename",
  "Image" AS process_image,
  "ParentImage" AS parent_image,
  "CommandLine" AS command_line,
  CASE
    WHEN "EventID" = '11'
      AND (LOWER(COALESCE("TargetFilename", '')) LIKE '%appdata\\local\\microsoft\\outlook%'
           OR LOWER(COALESCE("TargetFilename", '')) LIKE '%documents\\outlook files%')
      AND LOWER(COALESCE("Image", '')) NOT SIMILAR TO '%(outlook|searchindexer|searchprotocolhost|msosync|ocpubmgr)\.exe'
      THEN 'NonOutlookProcessAccessingEmailStore'
    WHEN "EventID" = '11'
      AND (LOWER(COALESCE("TargetFilename", '')) NOT LIKE '%appdata\\local\\microsoft\\outlook%'
           AND LOWER(COALESCE("TargetFilename", '')) NOT LIKE '%documents\\outlook files%')
      AND (LOWER(COALESCE("TargetFilename", '')) LIKE '%windows\\temp%'
           OR LOWER(COALESCE("TargetFilename", '')) LIKE '%\\temp\\%'
           OR LOWER(COALESCE("TargetFilename", '')) LIKE '%\\downloads\\%'
           OR LOWER(COALESCE("TargetFilename", '')) LIKE '%\\public\\%'
           OR LOWER(COALESCE("TargetFilename", '')) LIKE '%\\programdata\\%')
      THEN 'EmailFileStagedInSuspiciousLocation'
    WHEN "EventID" = '1'
      AND (LOWER(COALESCE("CommandLine", '')) LIKE '%.pst%'
           OR LOWER(COALESCE("CommandLine", '')) LIKE '%.ost%')
      AND (LOWER(COALESCE("CommandLine", '')) LIKE '%xcopy%'
           OR LOWER(COALESCE("CommandLine", '')) LIKE '%robocopy%'
           OR LOWER(COALESCE("CommandLine", '')) LIKE '%compress-archive%'
           OR LOWER(COALESCE("CommandLine", '')) LIKE '%invoke-webrequest%'
           OR LOWER(COALESCE("CommandLine", '')) LIKE '% copy %'
           OR LOWER(COALESCE("CommandLine", '')) LIKE '%wmic%')
      THEN 'CommandLinePstCopyOperation'
    WHEN "EventID" = '1'
      AND (LOWER(COALESCE("CommandLine", '')) LIKE '%.pst%'
           OR LOWER(COALESCE("CommandLine", '')) LIKE '%.ost%')
      THEN 'CommandLineReferencingEmailStore'
    ELSE NULL
  END AS detection_branch,
  CASE
    WHEN (LOWER(COALESCE("TargetFilename", '')) LIKE '%windows\\temp%'
          OR LOWER(COALESCE("TargetFilename", '')) LIKE '%\\downloads\\%'
          OR LOWER(COALESCE("TargetFilename", '')) LIKE '%\\public\\%')
      AND LOWER(COALESCE("Image", '')) NOT SIMILAR TO '%(outlook|searchindexer|searchprotocolhost|msosync|ocpubmgr)\.exe'
      THEN 3
    WHEN (LOWER(COALESCE("CommandLine", '')) LIKE '%xcopy%'
          OR LOWER(COALESCE("CommandLine", '')) LIKE '%robocopy%'
          OR LOWER(COALESCE("CommandLine", '')) LIKE '%compress-archive%')
      AND (LOWER(COALESCE("CommandLine", '')) LIKE '%.pst%'
           OR LOWER(COALESCE("CommandLine", '')) LIKE '%.ost%')
      THEN 3
    WHEN LOWER(COALESCE("Image", '')) NOT SIMILAR TO '%(outlook|searchindexer|searchprotocolhost|msosync|ocpubmgr)\.exe'
      AND (LOWER(COALESCE("TargetFilename", '')) LIKE '%.pst'
           OR LOWER(COALESCE("TargetFilename", '')) LIKE '%.ost')
      THEN 2
    ELSE 1
  END AS risk_score
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (413 /* Sysmon */, 12 /* Windows Security */)
  AND devicetime > NOW() - 1 DAYS
  AND (
    (
      "EventID" IN ('11')
      AND (
        LOWER(COALESCE("TargetFilename", '')) LIKE '%.pst'
        OR LOWER(COALESCE("TargetFilename", '')) LIKE '%.ost'
      )
    )
    OR (
      "EventID" IN ('1')
      AND LOWER(COALESCE("Image", '')) SIMILAR TO '%(cmd|powershell|pwsh|xcopy|robocopy|wmic|forfiles)\.exe'
      AND (
        LOWER(COALESCE("CommandLine", '')) LIKE '%.pst%'
        OR LOWER(COALESCE("CommandLine", '')) LIKE '%.ost%'
      )
    )
  )
  AND CASE
    WHEN "EventID" = '11'
      AND (LOWER(COALESCE("TargetFilename", '')) LIKE '%appdata\\local\\microsoft\\outlook%'
           OR LOWER(COALESCE("TargetFilename", '')) LIKE '%documents\\outlook files%')
      AND LOWER(COALESCE("Image", '')) NOT SIMILAR TO '%(outlook|searchindexer|searchprotocolhost|msosync|ocpubmgr)\.exe'
      THEN TRUE
    WHEN "EventID" = '11'
      AND (LOWER(COALESCE("TargetFilename", '')) NOT LIKE '%appdata\\local\\microsoft\\outlook%')
      AND (LOWER(COALESCE("TargetFilename", '')) LIKE '%\\temp\\%'
           OR LOWER(COALESCE("TargetFilename", '')) LIKE '%\\downloads\\%'
           OR LOWER(COALESCE("TargetFilename", '')) LIKE '%\\public\\%'
           OR LOWER(COALESCE("TargetFilename", '')) LIKE '%\\programdata\\%')
      THEN TRUE
    WHEN "EventID" = '1'
      AND (LOWER(COALESCE("CommandLine", '')) LIKE '%.pst%'
           OR LOWER(COALESCE("CommandLine", '')) LIKE '%.ost%')
      THEN TRUE
    ELSE FALSE
  END = TRUE
ORDER BY risk_score DESC, devicetime DESC
high severity medium confidence

AQL query for IBM QRadar detecting local Outlook PST/OST email collection via Sysmon events. Monitors Sysmon Event ID 11 (file creation) for PST/OST files accessed by non-Outlook processes or staged outside normal Outlook directories, and Sysmon Event ID 1 (process creation) for command-line operations referencing PST/OST files with copy/exfiltration verbs.

Data Sources

Windows Sysmon (via QRadar WinCollect or DSM)Windows Security Event Log

Required Tables

events (QRadar unified event store)

False Positives & Tuning

  • Enterprise backup agents (Commvault, NetBackup, Veeam) generating Sysmon Event ID 11 for PST/OST files during scheduled backup windows — add known backup service account names and process names to a reference set for exclusion
  • PST-to-cloud migration utilities during Office 365 onboarding (e.g., Microsoft MFCMAPI, BitTitan MigrationWiz agent) copying PST files to staging directories — correlate with active migration project CIs
  • Security or compliance scanning tools (e.g., Varonis, Spirion) that enumerate or read email files during data classification scans — verify against approved scanner schedule and service account
Download portable Sigma rule (.yml)

Other platforms for T1114.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Copy Outlook OST File to Windows Temp (cmd.exe)

    Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, CommandLine containing '.ost' and 'copy'. Sysmon Event ID 11: File Create with TargetFilename=%TEMP%\staged_email.ost, Image=cmd.exe. Security Event ID 4688 (if process command line auditing enabled) with same details. Security Event ID 4663 (if object access auditing enabled on Outlook directory) showing read access by cmd.exe.

  2. Test 2Enumerate and Copy PST Files with PowerShell

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-ChildItem', '.pst', and 'Copy-Item'. Sysmon Event ID 11: File Create with TargetFilename=C:\ProgramData\dftest_email_staged.pst, Image=powershell.exe. PowerShell ScriptBlock Log Event ID 4104 capturing full script. Security Event ID 4688 for the PowerShell process.

  3. Test 3WMIC Remote Process PST Copy (Chimera APT Pattern)

    Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing 'process call create' and '.ost'. Secondary Sysmon Event ID 1 for the spawned cmd.exe with the copy command. Sysmon Event ID 11 for the created file in Temp. Security Event ID 4688 for both wmic.exe and cmd.exe child process. Sysmon Event ID 3 (Network Connection) for wmic WMI connection to localhost.

  4. Test 4Archive Outlook Data Files for Exfiltration Preparation

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Compress-Archive' and '.pst'. Sysmon Event ID 11: File Create events for both the dummy .pst and the resulting .zip archive in Temp. PowerShell ScriptBlock Log Event ID 4104 with full script. File Create event for the archive file may also trigger DLP rules if archive-in-staging detection is enabled.

Last updated: 2026-04-18 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1114.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1114Email Collection

Related Sub-techniques

T1114.002Remote Email CollectionT1114.003Email Forwarding Rule

Related Techniques

T1114Email CollectionT1114.002Remote Email CollectionT1114.003Email Forwarding RuleT1560.001Archive via UtilityT1048Exfiltration Over Alternative ProtocolT1041Exfiltration Over C2 ChannelT1005Data from Local SystemT1078Valid AccountsT1047Windows Management Instrumentation

Same Tactic: Collection

Popular Detections