security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7d6f32d1beee643e80d7e033b4b85e3a065dbfcd
blue-team-tools/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml
T
frack113 020fc8061f Merge PR #4479 From @frack113 - Upgrade Rules Status 
chore: Upgrade status level from `experimental` to `test` for rules that have not changed in 300 days

---------

Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
2023-10-17 14:35:26 +02:00

29 lines
1.2 KiB
YAML
Raw Blame History

title: Powershell Exfiltration Over SMTP
id: 9a7afa56-4762-43eb-807d-c3dc9ffe211b
status: test
description: |
Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
The data may also be sent to an alternate network location from the main command and control server.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.2
- https://www.ietf.org/rfc/rfc2821.txt
author: frack113
date: 2022/09/26
tags:
- attack.exfiltration
- attack.t1048.003
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains: 'Send-MailMessage'
filter:
ScriptBlockText|contains: 'CmdletsToExport'
condition: selection and not filter
falsepositives:
- Legitimate script
level: medium
Reference in New Issue View Git Blame Copy Permalink