rules/windows/powershell/powershell_script/powershell_suspicious_mail_acces.yml

title: Powershell Local Email Collection
id: 2837e152-93c8-43d2-85ba-c3cd3c2ae614
status: experimental
author: frack113
date: 2021/07/21
modified: 2021/10/16
description: Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files. 
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md
tags:
    - attack.collection
    - attack.t1114.001
logsource:
    product: windows
    category: ps_script
    definition: Script block logging must be enabled
detection:
    selection:
        ScriptBlockText|contains:
            - 'Get-Inbox.ps1'
            - 'Microsoft.Office.Interop.Outlook'
            - 'Microsoft.Office.Interop.Outlook.olDefaultFolders'
            - '-comobject outlook.application'
    condition: selection 
falsepositives:
    - Unknown
level: medium
-											add powershell_suspicious_mail_acces.yml
										
										
											2021-07-21 15:27:12 +02:00
+								title: Powershell Local Email Collection
 								id: 2837e152-93c8-43d2-85ba-c3cd3c2ae614
 								status: experimental
 								author: frack113
 								date: 2021/07/21
-											change to category: ps_script
										
										
											2021-10-16 08:18:49 +02:00
+								modified: 2021/10/16
-											add powershell_suspicious_mail_acces.yml
										
										
											2021-07-21 15:27:12 +02:00
+								description: Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.
 								references:
 								    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md
 								tags:
 								    - attack.collection
 								    - attack.t1114.001
 								logsource:
 								    product: windows
-											change to category: ps_script
										
										
											2021-10-16 08:18:49 +02:00
+								    category: ps_script
-											Update PS rules
										
										
											2021-08-21 09:50:59 +02:00
+								    definition: Script block logging must be enabled
-											add powershell_suspicious_mail_acces.yml
										
										
											2021-07-21 15:27:12 +02:00
+								detection:
 								    selection:
 								        ScriptBlockText|contains:
 								            - 'Get-Inbox.ps1'
 								            - 'Microsoft.Office.Interop.Outlook'
 								            - 'Microsoft.Office.Interop.Outlook.olDefaultFolders'
 								            - '-comobject outlook.application'
 								    condition: selection
 								falsepositives:
 								    - Unknown
 								level: medium