security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 45 Packages Projects Releases Wiki Activity

Merge PR #5052 from @dan21san - Update Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet

Browse Source 
update: Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet - Add the "-Attachments" flag to the logic in order to reduce false positives. 
---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
This commit is contained in:
dan21san
2024-11-01 10:20:29 +01:00
committed by GitHub
parent 44176f0c17
commit 05a496388b
1 changed files with 8 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml → rules-threat-hunting/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml
+8 -8
View File
@@ -1,28 +1,28 @@
title: Powershell Exfiltration Over SMTP
title: Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet
id: 9a7afa56-4762-43eb-807d-c3dc9ffe211b
status: test
description: |
Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
The data may also be sent to an alternate network location from the main command and control server.
Detects the execution of a PowerShell script with a call to the "Send-MailMessage" cmdlet along with the "-Attachments" flag. This could be a potential sign of data exfiltration via Email.
Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.4
- https://www.ietf.org/rfc/rfc2821.txt
author: frack113
date: 2022-09-26
modified: 2024-11-01
tags:
- attack.exfiltration
- attack.t1048.003
- detection.threat-hunting
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains: 'Send-MailMessage'
filter:
ScriptBlockText|contains: 'CmdletsToExport'
condition: selection and not filter
ScriptBlockText|contains: 'Send-MailMessage*-Attachments'
condition: selection
falsepositives:
- Legitimate script
- Unknown
level: medium