The title, essentially. It appears to be an anti-forensics measure. The only thing I can think of is it would prevent recovery of deleted rules. Any thoughts/experiences?
The outlook rules are also documented in the M365 audit logs. So yes, it’s anti-forensics. But pretty weak. I haven’t seen a TA delete the rules…but commonly see the TA create the rules. Honestly, I don’t see much antiforensics in the wild. They come in. Do damage. Leave. That’s how most of my engagements go.
Oh, and they love to maintain persistance. So by leave, I really mean, they leave a mess and if you don’t work hard to kick them out, they’ll set themselves up for round 2 of damage in a few months.