valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
7ad927f28e
SigmaHQ/rules/windows/process_creation/process_mailboxexport_share.yml
Florian Roth 88a721a1ab
docs: add space in title
2021-08-07 10:13:05 +02:00

27 lines
877 B
YAML
Raw Blame History

title: Suspicious PowerShell Mailbox Export to Share
id: 889719ef-dd62-43df-86c3-768fb08dc7c0
status: experimental
description: Detects a PowerShell New-MailboxExportRequest that exports a mailbox to a local share, as used in ProxyShell exploitations
references:
- https://youtu.be/5mqid-7zp8k?t=2481
- https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
- https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
author: Florian Roth
date: 2021/08/07
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'New-MailboxExport'
- ' -Mailbox '
- ' -FilePath \\127.0.0.1\C$'
condition: selection
falsepositives:
- unknown
level: critical
fields:
- CommandLine
- ParentCommandLine
Reference in New Issue View Git Blame Copy Permalink