security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b24e863a1ca78d00eccee2076b2ee671b8a3f2ff
blue-team-tools/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml
T
Nasreddine Bencherchali 711ba956e3 feat: updates and enhancements
2023-01-04 17:49:32 +01:00

29 lines
1.2 KiB
YAML
Raw Blame History

title: Powershell Exfiltration Over SMTP
id: 9a7afa56-4762-43eb-807d-c3dc9ffe211b
status: experimental
description: |
Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
The data may also be sent to an alternate network location from the main command and control server.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.2
- https://www.ietf.org/rfc/rfc2821.txt
author: frack113
date: 2022/09/26
tags:
- attack.exfiltration
- attack.t1048.003
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains: 'Send-MailMessage'
filter:
ScriptBlockText|contains: 'CmdletsToExport'
condition: selection and not filter
falsepositives:
- Legitimate script
level: medium
Reference in New Issue View Git Blame Copy Permalink