From 92ae27600fc8c156f72c99ff69b927401b190571 Mon Sep 17 00:00:00 2001
From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Date: Tue, 24 Jan 2023 07:54:55 -0300
Subject: [PATCH] [New Rule] PowerShell Mailbox Collection Script (#2461)

---
 rules/windows/collection_posh_mailbox.toml | 86 ++++++++++++++++++++++
 1 file changed, 86 insertions(+)
 create mode 100644 rules/windows/collection_posh_mailbox.toml

diff --git a/rules/windows/collection_posh_mailbox.toml b/rules/windows/collection_posh_mailbox.toml
new file mode 100644
index 000000000..59ad5803d
--- /dev/null
+++ b/rules/windows/collection_posh_mailbox.toml
@@ -0,0 +1,86 @@
+[metadata]
+creation_date = "2023/01/11"
+integration = ["windows"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/01/11"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects PowerShell scripts that can be used to collect data from mailboxes. Adversaries may target user email to collect
+sensitive information.
+"""
+from = "now-9m"
+index = ["winlogbeat-*", "logs-windows.*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "PowerShell Mailbox Collection Script"
+references = [
+    "https://github.com/dafthack/MailSniper/blob/master/MailSniper.ps1",
+    "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/apt29/Archive/CALDERA_DIY/evals/payloads/stepSeventeen_email.ps1",
+]
+risk_score = 47
+rule_id = "a2d04374-187c-4fd9-b513-3ad4e7fdd67a"
+severity = "medium"
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Collection", "PowerShell"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.category:process and
+  (
+   powershell.file.script_block_text : (
+      "Microsoft.Office.Interop.Outlook" or
+      "Interop.Outlook.olDefaultFolders" or
+      "::olFolderInBox"
+   ) or
+   powershell.file.script_block_text : (
+      "Microsoft.Exchange.WebServices.Data.Folder" or
+      "Microsoft.Exchange.WebServices.Data.FileAttachment"
+   )
+   )
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1114"
+name = "Email Collection"
+reference = "https://attack.mitre.org/techniques/T1114/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1114.001"
+name = "Local Email Collection"
+reference = "https://attack.mitre.org/techniques/T1114/001/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1114.002"
+name = "Remote Email Collection"
+reference = "https://attack.mitre.org/techniques/T1114/002/"
+
+[rule.threat.tactic]
+id = "TA0009"
+name = "Collection"
+reference = "https://attack.mitre.org/tactics/TA0009/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1059.001"
+name = "PowerShell"
+reference = "https://attack.mitre.org/techniques/T1059/001/"
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"