Windows Redcannary

rules/windows/powershell/powershell_script/powershell_ps_send_mailmessage.yml

@@ -0,0 +1,26 @@
+title: Powershell Exfiltration Over SMTP
+id: 9a7afa56-4762-43eb-807d-c3dc9ffe211b
+status: experimental
+description: |
+  Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
+  The data may also be sent to an alternate network location from the main command and control server. 
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp
+    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.2
+    - https://www.ietf.org/rfc/rfc2821.txt
+author: frack113
+date: 2022/01/07
+logsource:
+    product: windows
+    category: ps_script
+    definition: 'Script block logging must be enabled'
+detection:
+    selection_cmdlet:
+        ScriptBlockText|contains: Send-MailMessage
+    condition: selection_cmdlet
+falsepositives:
+    - legitim script
+level: medium
+tags:
+    - attack.exfiltration
+    - attack.t1048.003