valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #1720 from frack113/redcanary_t1411_001

Browse Source 
[OSCD] powershell_suspicious_mail_acces.yml T1114.001
This commit is contained in:
Florian Roth 2021-07-22 14:53:21 +02:00 committed by GitHub
commit 132bd8fdd8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 27 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
rules/windows/powershell/powershell_suspicious_mail_acces.yml Normal file
View File

@ -0,0 +1,27 @@
title: Powershell Local Email Collection
id: 2837e152-93c8-43d2-85ba-c3cd3c2ae614
status: experimental
author: frack113
date: 2021/07/21
description: Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a users local system, such as Outlook storage or cache files.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md
tags:
- attack.collection
- attack.t1114.001
logsource:
product: windows
service: powershell
description: EnableScriptBlockLogging must be set to enable
detection:
selection:
EventID: 4104
ScriptBlockText|contains:
- 'Get-Inbox.ps1'
- 'Microsoft.Office.Interop.Outlook'
- 'Microsoft.Office.Interop.Outlook.olDefaultFolders'
- '-comobject outlook.application'
condition: selection
falsepositives:
- Unknown
level: medium