Merge pull request #4084 from nasbench/master

chore: rollback previous state of the rule
2023-03-01 14:12:46 +01:00
parent b584dd198e 3c425a0b03
commit bd9f82efa2
1 changed files with 3 additions and 3 deletions
@@ -6,7 +6,7 @@ references:
    - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
 author: Florian Roth (Nextron Systems), Rich Warren, Christian Burkard (Nextron Systems)
 date: 2021/08/09
-modified: 2022/10/26
+modified: 2023/02/28
 tags:
    - attack.persistence
    - attack.t1505.003
@@ -18,13 +18,13 @@ detection:
        - 'New-MailboxExportRequest'
        - ' -Mailbox '
    export_params:
-        - '-FilePath "\\\\' # We care about any share location
+        - '-FilePath "\\\\' # We care about any share location.
        - '.aspx'
    role_assignment:
        - 'New-ManagementRoleAssignment'
        - ' -Role "Mailbox Import Export"'
        - ' -User '
-    condition: all of export_* or role_assignment
+    condition: (all of export_command and export_params) or all of role_assignment
 falsepositives:
    - Unlikely
 level: critical