security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
9b39e2626099e11fa3679596d10b00a513974574
blue-team-tools/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml
T
Nasreddine Bencherchali 598d29f811 Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 
chore: change tags, date, modified fields to comply with v2 of the Sigma spec.
chore: update the related type from `obsoletes` to `obsolete`.
chore: update local json schema to the latest version.
2024-08-12 12:02:50 +02:00

29 lines
1.2 KiB
YAML
Raw Blame History

title: Powershell Exfiltration Over SMTP
id: 9a7afa56-4762-43eb-807d-c3dc9ffe211b
status: test
description: |
Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
The data may also be sent to an alternate network location from the main command and control server.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.4
- https://www.ietf.org/rfc/rfc2821.txt
author: frack113
date: 2022-09-26
tags:
- attack.exfiltration
- attack.t1048.003
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains: 'Send-MailMessage'
filter:
ScriptBlockText|contains: 'CmdletsToExport'
condition: selection and not filter
falsepositives:
- Legitimate script
level: medium
Reference in New Issue View Git Blame Copy Permalink