security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add/Update Exchange/Mailbox Rules

Browse Source
This commit is contained in:
Nasreddine Bencherchali
2022-10-26 23:17:54 +02:00
parent 6f4250e434
commit efe0cf5871
5 changed files with 89 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/powershell/powershell_script/posh_ps_exchange_mailbox_smpt_forwarding_rule.yml
+24
View File
@@ -0,0 +1,24 @@
title: Suspicious PowerShell Mailbox SMTP Forward Rule
id: 15b7abbb-8b40-4d01-9ee2-b51994b1d474
status: experimental
description: Detects usage of the powerShell Set-Mailbox Cmdlet to set-up an SMTP forwarding rule.
references:
- https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
author: Nasreddine Bencherchali
date: 2022/10/26
tags:
- attack.exfiltration
logsource:
product: windows
category: ps_script
definition: Script block logging must be enabled
detection:
selection:
ScriptBlockText|contains|all:
- 'Set-Mailbox '
- ' -DeliverToMailboxAndForward '
- ' -ForwardingSmtpAddress '
condition: selection
falsepositives:
- Legitimate usage of the cmdlet to forward emails
level: medium
rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml
+33
View File
@@ -0,0 +1,33 @@
title: Suspicious PowerShell Mailbox Export to Share - PS
id: 4a241dea-235b-4a7e-8d76-50d817b146c4
related:
- id: 889719ef-dd62-43df-86c3-768fb08dc7c0
type: derived
status: experimental
description: Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations
references:
- https://youtu.be/5mqid-7zp8k?t=2481
- https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
- https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
- https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
author: Nasreddine Bencherchali
date: 2022/10/26
tags:
- attack.exfiltration
logsource:
product: windows
category: ps_script
definition: Script block logging must be enabled
detection:
selection:
ScriptBlockText|contains|all:
- 'New-MailboxExportRequest'
- ' -Mailbox '
- ' -FilePath \\\\'
condition: selection
falsepositives:
- Unknown
level: critical
fields:
- CommandLine
- ParentCommandLine