security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2c0e89ccc8584b59bee3ae4c8aabd2a9df87f8af
blue-team-tools/rules/windows/powershell/powershell_script/powershell_suspicious_mail_acces.yml
T

28 lines
964 B
YAML
Raw Normal View History

add powershell_suspicious_mail_acces.yml
2021-07-21 15:27:12 +02:00
title: Powershell Local Email Collection
id: 2837e152-93c8-43d2-85ba-c3cd3c2ae614
status: experimental
author: frack113
date: 2021/07/21
description: Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a users local system, such as Outlook storage or cache files.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md
tags:
- attack.collection
- attack.t1114.001
logsource:
product: windows
service: powershell
Update PS rules
2021-08-21 09:50:59 +02:00
definition: Script block logging must be enabled
add powershell_suspicious_mail_acces.yml
2021-07-21 15:27:12 +02:00
detection:
selection:
EventID: 4104
ScriptBlockText|contains:
- 'Get-Inbox.ps1'
- 'Microsoft.Office.Interop.Outlook'
- 'Microsoft.Office.Interop.Outlook.olDefaultFolders'
- '-comobject outlook.application'
condition: selection
falsepositives:
- Unknown
level: medium
Reference in New Issue Copy Permalink