security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
291ca18d22f720f2ebcd30cf468f4434cecccdaa
blue-team-tools/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml
T
Nasreddine Bencherchali 711ba956e3 feat: updates and enhancements
2023-01-04 17:49:32 +01:00

29 lines
1.2 KiB
YAML
Raw Blame History

title: Powershell Exfiltration Over SMTP
id: 9a7afa56-4762-43eb-807d-c3dc9ffe211b
status: experimental
description: |
Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
The data may also be sent to an alternate network location from the main command and control server.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.2
- https://www.ietf.org/rfc/rfc2821.txt
author: frack113
date: 2022/09/26
tags:
- attack.exfiltration
- attack.t1048.003
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains: 'Send-MailMessage'
filter:
ScriptBlockText|contains: 'CmdletsToExport'
condition: selection and not filter
falsepositives:
- Legitimate script
level: medium
Reference in New Issue View Git Blame Copy Permalink